Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1559011
MD5:c6774985fc109440ce01c0bdf1978a96
SHA1:6c3c8e16544c299ee31175d7796679da0bf33736
SHA256:eaa41c656c107cadd3ecd84eb6f9338185db27b7ed156e8244446fa46b3b936b
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

  • System is w10x64
  • file.exe (PID: 6148 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C6774985FC109440CE01C0BDF1978A96)
    • chrome.exe (PID: 2360 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 7268 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,10312143833214285675,2582168569992251965,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7976 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 428 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1908,i,3294702590203488965,14854174447788199896,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["peepburry828.sbs", "processhol.sbs", "p3ar11fter.sbs", "p10tgrace.sbs", "3xp3cts1aim.sbs"], "Build id": "LOGS11--LiveTraffic"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1683420078.0000000000A8C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.1683039757.0000000000A88000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: file.exe PID: 6148JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: file.exe PID: 6148JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: file.exe PID: 6148JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              Click to see the 1 entries
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T03:20:35.771074+010020283713Unknown Traffic192.168.2.849707188.114.96.3443TCP
              2024-11-20T03:20:36.938315+010020283713Unknown Traffic192.168.2.849708188.114.96.3443TCP
              2024-11-20T03:20:38.357443+010020283713Unknown Traffic192.168.2.849709188.114.96.3443TCP
              2024-11-20T03:20:39.971947+010020283713Unknown Traffic192.168.2.849710188.114.96.3443TCP
              2024-11-20T03:20:41.480135+010020283713Unknown Traffic192.168.2.849711188.114.96.3443TCP
              2024-11-20T03:20:43.376586+010020283713Unknown Traffic192.168.2.849712188.114.96.3443TCP
              2024-11-20T03:20:44.766688+010020283713Unknown Traffic192.168.2.849713188.114.96.3443TCP
              2024-11-20T03:20:48.162073+010020283713Unknown Traffic192.168.2.849714188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T03:20:36.208496+010020546531A Network Trojan was detected192.168.2.849707188.114.96.3443TCP
              2024-11-20T03:20:37.531095+010020546531A Network Trojan was detected192.168.2.849708188.114.96.3443TCP
              2024-11-20T03:20:48.598321+010020546531A Network Trojan was detected192.168.2.849714188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T03:20:36.208496+010020498361A Network Trojan was detected192.168.2.849707188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T03:20:37.531095+010020498121A Network Trojan was detected192.168.2.849708188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T03:20:49.351585+010020197142Potentially Bad Traffic192.168.2.849715185.215.113.1680TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T03:20:43.801328+010020480941Malware Command and Control Activity Detected192.168.2.849712188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T03:20:44.771265+010028438641A Network Trojan was detected192.168.2.849713188.114.96.3443TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: file.exeAvira: detected
              Source: https://cook-rain.sbs/LAvira URL Cloud: Label: malware
              Source: https://cook-rain.sbs/zAvira URL Cloud: Label: malware
              Source: http://185.215.113.16/off/def.exe94Avira URL Cloud: Label: phishing
              Source: https://cook-rain.sbs/_Avira URL Cloud: Label: malware
              Source: https://cook-rain.sbs/apiUniAvira URL Cloud: Label: malware
              Source: https://cook-rain.sbs/)Avira URL Cloud: Label: malware
              Source: http://185.215.113.16/;Avira URL Cloud: Label: phishing
              Source: file.exe.6148.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["peepburry828.sbs", "processhol.sbs", "p3ar11fter.sbs", "p10tgrace.sbs", "3xp3cts1aim.sbs"], "Build id": "LOGS11--LiveTraffic"}
              Source: file.exeVirustotal: Detection: 41%Perma Link
              Source: file.exeJoe Sandbox ML: detected
              Source: 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString decryptor: p3ar11fter.sbs
              Source: 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString decryptor: 3xp3cts1aim.sbs
              Source: 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString decryptor: peepburry828.sbs
              Source: 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString decryptor: p10tgrace.sbs
              Source: 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString decryptor: processhol.sbs
              Source: 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
              Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
              Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
              Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49827 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49750 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49828 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.8:49829 version: TLS 1.2
              Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1912859198.00000000060E2000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1791593341.0000000008010000.00000004.00001000.00020000.00000000.sdmp

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49707 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49707 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49714 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49712 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.8:49713 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49708 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49708 -> 188.114.96.3:443
              Source: Malware configuration extractorURLs: peepburry828.sbs
              Source: Malware configuration extractorURLs: processhol.sbs
              Source: Malware configuration extractorURLs: p3ar11fter.sbs
              Source: Malware configuration extractorURLs: p10tgrace.sbs
              Source: Malware configuration extractorURLs: 3xp3cts1aim.sbs
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Nov 2024 02:20:49 GMTContent-Type: application/octet-streamContent-Length: 2847744Last-Modified: Wed, 20 Nov 2024 02:17:05 GMTConnection: keep-aliveETag: "673d46a1-2b7400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2c 00 00 04 00 00 1f 25 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6a 77 61 73 65 79 6d 67 00 20 2b 00 00 a0 00 00 00 14 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 65 6b 73 72 72 6d 76 00 20 00 00 00 c0 2b 00 00 04 00 00 00 4e 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2b 00 00 22 00 00 00 52 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: Joe Sandbox ViewIP Address: 13.107.246.45 13.107.246.45
              Source: Joe Sandbox ViewIP Address: 185.215.113.16 185.215.113.16
              Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
              Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.8:49715 -> 185.215.113.16:80
              Source: unknownHTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49827 version: TLS 1.0
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
              Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2rdR+NpUGG9blug&MD=NgHsSw1y HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
              Source: global trafficHTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
              Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2rdR+NpUGG9blug&MD=NgHsSw1y HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
              Source: global trafficHTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120100v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule90401v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
              Source: global trafficHTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)
              Source: global trafficDNS traffic detected: DNS query: cook-rain.sbs
              Source: global trafficDNS traffic detected: DNS query: mdec.nelreports.net
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: js.monitor.azure.com
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cook-rain.sbs
              Source: file.exe, 00000000.00000003.1792049833.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/
              Source: file.exe, 00000000.00000003.1792049833.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/;
              Source: file.exe, 00000000.00000003.1742240312.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792049833.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1894285939.0000000000A6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exe
              Source: file.exe, 00000000.00000003.1742240312.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792049833.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1894285939.0000000000A6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exe94
              Source: file.exe, 00000000.00000002.1892094686.000000000076B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exepleWebKit/537.36
              Source: file.exe, 00000000.00000002.1894285939.0000000000A6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exe
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: file.exe, 00000000.00000003.1742059301.0000000000A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: http://polymer.github.io/AUTHORS.txt
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: http://polymer.github.io/LICENSE.txt
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: http://polymer.github.io/PATENTS.txt
              Source: chromecache_129.7.drString found in binary or memory: http://schema.org/Organization
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://aka.ms/certhelp
              Source: chromecache_129.7.drString found in binary or memory: https://aka.ms/feedback/report?space=61
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://aka.ms/msignite_docs_banner
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://aka.ms/pshelpmechoose
              Source: chromecache_129.7.drString found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
              Source: chromecache_129.7.drString found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
              Source: chromecache_129.7.drString found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
              Source: file.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
              Source: file.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
              Source: file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://channel9.msdn.com/
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
              Source: file.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
              Source: file.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: file.exe, 00000000.00000003.1792049833.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1683039757.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1632169295.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1741948721.0000000005755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/
              Source: file.exe, 00000000.00000003.1703932459.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742170202.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792049833.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/)
              Source: file.exe, 00000000.00000003.1694042936.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1694894290.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/L
              Source: file.exe, 00000000.00000003.1694042936.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1683440777.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1694894290.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1683420078.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1703932459.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742170202.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792049833.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1683039757.0000000000A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/_
              Source: file.exe, 00000000.00000003.1632169295.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1894285939.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698252483.0000000005753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/api
              Source: file.exe, 00000000.00000003.1741948721.0000000005755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/apiUni
              Source: file.exe, 00000000.00000003.1742170202.0000000000A92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/z
              Source: file.exe, 00000000.00000002.1894285939.00000000009F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs:443/api
              Source: file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: chromecache_129.7.drString found in binary or memory: https://github.com/Thraka
              Source: chromecache_129.7.drString found in binary or memory: https://github.com/Youssef1313
              Source: chromecache_129.7.drString found in binary or memory: https://github.com/adegeo
              Source: chromecache_129.7.drString found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
              Source: chromecache_129.7.drString found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
              Source: chromecache_129.7.drString found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
              Source: chromecache_129.7.drString found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://github.com/dotnet/try
              Source: chromecache_129.7.drString found in binary or memory: https://github.com/gewarren
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://github.com/jonschlinkert/is-plain-object
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://github.com/js-cookie/js-cookie
              Source: chromecache_129.7.drString found in binary or memory: https://github.com/mairaw
              Source: chromecache_129.7.drString found in binary or memory: https://github.com/nschonni
              Source: file.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
              Source: chromecache_129.7.drString found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://learn-video.azurefd.net/vod/player
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://octokit.github.io/rest.js/#throttling
              Source: chromecache_109.7.drString found in binary or memory: https://schema.org
              Source: file.exe, 00000000.00000003.1663630758.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: file.exe, 00000000.00000003.1663630758.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05
              Source: chromecache_109.7.drString found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9
              Source: file.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
              Source: file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
              Source: chromecache_120.7.dr, chromecache_109.7.drString found in binary or memory: https://www.linkedin.com/cws/share?url=$
              Source: file.exe, 00000000.00000003.1663498197.00000000056CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: file.exe, 00000000.00000003.1663630758.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
              Source: file.exe, 00000000.00000003.1663630758.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
              Source: file.exe, 00000000.00000003.1663630758.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000003.1663630758.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
              Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
              Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
              Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
              Source: unknownNetwork traffic detected: HTTP traffic on port 50039 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
              Source: unknownNetwork traffic detected: HTTP traffic on port 49967 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
              Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
              Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49968
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49967
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49966
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49964
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
              Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49966 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50096 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49959
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
              Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
              Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
              Source: unknownNetwork traffic detected: HTTP traffic on port 50062 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
              Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
              Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
              Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
              Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
              Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50084 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
              Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
              Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
              Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
              Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
              Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
              Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
              Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50059 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50094 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50060 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50100
              Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49964 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
              Source: unknownNetwork traffic detected: HTTP traffic on port 50037 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
              Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
              Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
              Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
              Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50082 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49965 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50070 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50092 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50054
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50053
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50056
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50058
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50057
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50059
              Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50060
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50062
              Source: unknownNetwork traffic detected: HTTP traffic on port 50068 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
              Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50064
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50067
              Source: unknownNetwork traffic detected: HTTP traffic on port 50091 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50066
              Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50069
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50068
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50070
              Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50072
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50071
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50074
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50073
              Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
              Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50075
              Source: unknownNetwork traffic detected: HTTP traffic on port 50057 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50078
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50077
              Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50079
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50081
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50080
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50083
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50082
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50085
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50084
              Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50087
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50086
              Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
              Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50092
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50091
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50094
              Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50093
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50096
              Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50095
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
              Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50032 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
              Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
              Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
              Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
              Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
              Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
              Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50026
              Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
              Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50039
              Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50032
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
              Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50033
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50035
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50037
              Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50041
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50040
              Source: unknownNetwork traffic detected: HTTP traffic on port 50066 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50033 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
              Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50047
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50049
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
              Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50050
              Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50051
              Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50077 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50053 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50099 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50100 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49969 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50054 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
              Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49750 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49828 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.8:49829 version: TLS 1.2

              System Summary

              barindex
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .rsrc
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeBinary or memory string: OriginalFilename vs file.exe
              Source: file.exe, 00000000.00000003.1755038650.00000000057C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1776157789.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1767472131.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1778392277.0000000005B63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1761987222.0000000005B6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1757181158.0000000005CB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000002.1894285939.0000000000A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefO vs file.exe
              Source: file.exe, 00000000.00000003.1792476865.000000000576D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOG vs file.exe
              Source: file.exe, 00000000.00000003.1760042739.0000000005B66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1763874431.0000000005B66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1768446346.0000000005C90000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1780503801.0000000005B6E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000002.1912893680.00000000060E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1778950508.0000000005CA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1779943281.0000000005CAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1764121483.0000000005D4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1755038650.0000000005811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1765473448.0000000005B63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1782054493.0000000005B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1758134525.0000000005B67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1756415867.00000000059C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1755038650.0000000005860000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1761340620.0000000005C4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1763328894.0000000005B6E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1774005190.0000000005CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1766581302.0000000005B6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1760423936.0000000005B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1758727359.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1765924713.0000000005D78000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1757110206.0000000005C0C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1778006435.0000000005CA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1759555133.0000000005B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1775685433.0000000005C9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1760909311.0000000005D0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1781327208.0000000005B6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1759002471.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1764713531.0000000005C62000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1766804820.0000000005C82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1756325997.0000000005860000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1767943689.0000000005B6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1759952773.0000000005CED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1764859679.0000000005B67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1762728784.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1758479027.0000000005B6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1758232101.0000000005C20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000002.1910032998.000000000576A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOG vs file.exe
              Source: file.exe, 00000000.00000003.1767733863.0000000005C8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1756820452.00000000059C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1792215867.000000000576D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOG vs file.exe
              Source: file.exe, 00000000.00000003.1768277515.0000000005B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1757737359.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1763747605.0000000005C57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1792331066.0000000000A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefO vs file.exe
              Source: file.exe, 00000000.00000003.1757353709.0000000005C1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1763062010.0000000005B70000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1759157997.0000000005C26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1757028818.0000000005B70000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1763208341.0000000005C56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1757488346.0000000005B64000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1792049833.0000000000A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefO vs file.exe
              Source: file.exe, 00000000.00000003.1762289565.0000000005C47000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1768614984.0000000005DC0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1766340102.0000000005D8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1759258880.0000000005B63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1766053615.0000000005B63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1756959255.0000000005C0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1764492353.0000000005B63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1779540755.0000000005B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1774957468.0000000005CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1765734198.0000000005C64000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1761556900.0000000005B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1756618006.00000000059C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1757611588.0000000005C03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1764001782.0000000005C57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1761749918.0000000005C4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1774681702.0000000005B71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1760304316.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1780268421.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1760544399.0000000005C3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1770963079.0000000005CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1760661884.0000000005B6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1762542693.0000000005B62000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1780783238.0000000005CBB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1766194423.0000000005C77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1764254963.0000000005B6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1763600656.0000000005B6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000002.1910032998.0000000005756000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1781731628.0000000005CB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1757258089.0000000005B70000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1792049833.0000000000A66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000002.1894285939.0000000000A1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000002.1912094583.0000000005E27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1760191795.0000000005C30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1762883549.0000000005D2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1775268508.0000000005B64000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1756690829.0000000005B65000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1761104338.0000000005B71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1765318056.0000000005C66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1758344566.0000000005CE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1763461418.0000000005C5E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1764995936.0000000005C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1756515405.0000000005B6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1772354539.0000000005B63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1758024066.0000000005C19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1765150702.0000000005B65000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1759830474.0000000005C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1756887248.0000000005B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1768854638.0000000005B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1768136646.0000000005C87000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1774331102.0000000005DD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1776642465.0000000005B6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1759385551.0000000005C22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1760807860.0000000005C3B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1764376065.0000000005C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exe, 00000000.00000003.1757863717.0000000005B6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9974087252475248
              Source: file.exeStatic PE information: Section: saixhvao ZLIB complexity 0.9944940757175227
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/71@11/6
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000003.1633925905.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1649738479.00000000057C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1650164432.000000000576A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634401056.00000000056C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeVirustotal: Detection: 41%
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,10312143833214285675,2582168569992251965,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1908,i,3294702590203488965,14854174447788199896,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,10312143833214285675,2582168569992251965,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1908,i,3294702590203488965,14854174447788199896,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wkscli.dllJump to behavior
              Source: Google Drive.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: YouTube.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Sheets.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Gmail.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Slides.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Docs.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: file.exeStatic file information: File size 1865216 > 1048576
              Source: file.exeStatic PE information: Raw size of saixhvao is bigger than: 0x100000 < 0x19dc00
              Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1912859198.00000000060E2000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1791593341.0000000008010000.00000004.00001000.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d70000.0.unpack :EW;.rsrc :W;.idata :W; :EW;saixhvao:EW;cgvumvdv:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;saixhvao:EW;cgvumvdv:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1d14c0 should be: 0x1d5929
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .rsrc
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: saixhvao
              Source: file.exeStatic PE information: section name: cgvumvdv
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A89E5D pushfd ; retf 0_3_00A89E6F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A8DC10 push edi; ret 0_3_00A8DC40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A907C1 pushfd ; retf 0_3_00A907CB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A907C1 pushfd ; retf 0_3_00A907CB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A907C1 pushfd ; retf 0_3_00A907CB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A907C1 pushfd ; retf 0_3_00A907CB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97C92 push cs; retf 0_3_00A97C93
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97C92 push cs; retf 0_3_00A97C93
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97C92 push cs; retf 0_3_00A97C93
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97C92 push cs; retf 0_3_00A97C93
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97C92 push cs; retf 0_3_00A97C93
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97C92 push cs; retf 0_3_00A97C93
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97C92 push cs; retf 0_3_00A97C93
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97C92 push cs; retf 0_3_00A97C93
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97C92 push cs; retf 0_3_00A97C93
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A95AC0 pushad ; retf 0_3_00A95B9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A95AC0 pushad ; retf 0_3_00A95B9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A95AC0 pushad ; retf 0_3_00A95B9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A95AC0 pushad ; retf 0_3_00A95B9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A95AC0 pushad ; retf 0_3_00A95B9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A95AC0 pushad ; retf 0_3_00A95B9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A95AC0 pushad ; retf 0_3_00A95B9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A95AC0 pushad ; retf 0_3_00A95B9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A95AC0 pushad ; retf 0_3_00A95B9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97A22 push eax; retf 0_3_00A97A23
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97A22 push eax; retf 0_3_00A97A23
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97A22 push eax; retf 0_3_00A97A23
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97A22 push eax; retf 0_3_00A97A23
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97A22 push eax; retf 0_3_00A97A23
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97A22 push eax; retf 0_3_00A97A23
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00A97A22 push eax; retf 0_3_00A97A23
              Source: file.exeStatic PE information: section name: entropy: 7.974777943413181
              Source: file.exeStatic PE information: section name: saixhvao entropy: 7.953655752107788

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC332 second address: DCC349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F9ACD05C371h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F488BC second address: F488D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 jns 00007F9ACCBE48C6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jne 00007F9ACCBE48C6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2D7EF second address: F2D826 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9ACD05C36Ch 0x00000008 jmp 00007F9ACD05C36Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F9ACD05C379h 0x00000017 jmp 00007F9ACD05C373h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47C4A second address: F47C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47D9A second address: F47DA4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9ACD05C366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47DA4 second address: F47DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47DAA second address: F47DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47DAE second address: F47DBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jng 00007F9ACCBE48C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47EE9 second address: F47EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47EEF second address: F47F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACCBE48D2h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B713 second address: F4B718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B784 second address: F4B7CC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9ACCBE48C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jng 00007F9ACCBE48DDh 0x00000012 nop 0x00000013 mov si, C467h 0x00000017 push 00000000h 0x00000019 pushad 0x0000001a mov dx, 66D2h 0x0000001e popad 0x0000001f call 00007F9ACCBE48C9h 0x00000024 jg 00007F9ACCBE48CEh 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B7CC second address: F4B7F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jmp 00007F9ACD05C375h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B7F0 second address: F4B823 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F9ACCBE48CCh 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007F9ACCBE48D6h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B823 second address: F4B86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F9ACD05C368h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 push 00000003h 0x00000023 mov dx, D33Dh 0x00000027 push 00000000h 0x00000029 jns 00007F9ACD05C368h 0x0000002f push 00000003h 0x00000031 mov dword ptr [ebp+122D374Eh], ebx 0x00000037 push 6885056Eh 0x0000003c push eax 0x0000003d push edx 0x0000003e push esi 0x0000003f push ebx 0x00000040 pop ebx 0x00000041 pop esi 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B86D second address: F4B8CB instructions: 0x00000000 rdtsc 0x00000002 je 00007F9ACCBE48C8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 577AFA92h 0x00000013 movsx ecx, si 0x00000016 lea ebx, dword ptr [ebp+124534BFh] 0x0000001c jmp 00007F9ACCBE48CBh 0x00000021 xchg eax, ebx 0x00000022 push esi 0x00000023 jnl 00007F9ACCBE48DBh 0x00000029 pop esi 0x0000002a push eax 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F9ACCBE48D5h 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B9FF second address: F4BA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CF85 second address: F6CFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9ACCBE48D8h 0x0000000b jmp 00007F9ACCBE48D4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CFB9 second address: F6CFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F9ACD05C379h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CFDC second address: F6CFE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B234 second address: F6B24E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C370h 0x00000007 ja 00007F9ACD05C366h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B24E second address: F6B253 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B52B second address: F6B530 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B661 second address: F6B673 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9ACCBE48C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F9ACCBE48CCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B673 second address: F6B677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BA86 second address: F6BA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BA8E second address: F6BA9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F9ACD05C366h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BA9C second address: F6BAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BC22 second address: F6BC37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9ACD05C36Bh 0x00000009 jo 00007F9ACD05C366h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BC37 second address: F6BC3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BEE3 second address: F6BEE9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BEE9 second address: F6BEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BEF2 second address: F6BEFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BEFA second address: F6BF27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jmp 00007F9ACCBE48D3h 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edx 0x00000011 jng 00007F9ACCBE48CEh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BF27 second address: F6BF42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C376h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C692 second address: F6C6BD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9ACCBE48CCh 0x0000000b jmp 00007F9ACCBE48D3h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C6BD second address: F6C6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C6C3 second address: F6C6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C6C9 second address: F6C6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C6CE second address: F6C6D8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9ACCBE48D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C6D8 second address: F6C6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C818 second address: F6C81C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C81C second address: F6C82A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C95E second address: F6C989 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D5h 0x00000007 jmp 00007F9ACCBE48CCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C989 second address: F6C98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C98F second address: F6C993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C993 second address: F6C99D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9ACD05C366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7027D second address: F702A4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9ACCBE48C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jg 00007F9ACCBE48D1h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70592 second address: F70596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70596 second address: F7059C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F788E6 second address: F788EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F788EA second address: F788F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F788F2 second address: F788F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F788F7 second address: F78914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACCBE48D7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7861E second address: F78632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACD05C36Fh 0x00000009 pop ecx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F78632 second address: F78644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9ACCBE48CDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7BE85 second address: F7BE9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9ACD05C371h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CBAE second address: F7CBB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CBB5 second address: F7CC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jng 00007F9ACD05C370h 0x0000000e jmp 00007F9ACD05C36Ah 0x00000013 jbe 00007F9ACD05C368h 0x00000019 popad 0x0000001a xchg eax, ebx 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F9ACD05C368h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 mov dword ptr [ebp+122DB840h], edi 0x0000003b push eax 0x0000003c xor dword ptr [ebp+122D1BECh], eax 0x00000042 pop edi 0x00000043 nop 0x00000044 jmp 00007F9ACD05C36Dh 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d pushad 0x0000004e popad 0x0000004f jmp 00007F9ACD05C36Ch 0x00000054 popad 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CC29 second address: F7CC2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CDC3 second address: F7CDC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CECA second address: F7CECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CECE second address: F7CEDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F9ACD05C366h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CEDF second address: F7CEE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CFDC second address: F7CFE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F9ACD05C366h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D0BB second address: F7D0BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D185 second address: F7D18F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9ACD05C366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E0A2 second address: F7E0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F807CB second address: F807F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9ACD05C370h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9ACD05C36Eh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85116 second address: F85172 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+122D3A91h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F9ACCBE48C8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f push edi 0x00000030 pop ebx 0x00000031 call 00007F9ACCBE48CCh 0x00000036 mov bl, 90h 0x00000038 pop edi 0x00000039 push 00000000h 0x0000003b cmc 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F860B5 second address: F860B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F860B9 second address: F860C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82F38 second address: F82F42 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9ACD05C366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82F42 second address: F82F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82F48 second address: F82F5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86F4B second address: F86F63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F9ACCBE48C6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86F63 second address: F86F80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F9ACD05C373h 0x00000010 jmp 00007F9ACD05C36Dh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86F80 second address: F86FF3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007F9ACCBE48C6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F9ACCBE48C8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 xor ebx, 3B30BA0Ch 0x0000002d push 00000000h 0x0000002f sub ebx, dword ptr [ebp+122D1DE1h] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007F9ACCBE48C8h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 0000001Ah 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 mov bx, B531h 0x00000055 add ebx, dword ptr [ebp+122DB849h] 0x0000005b push eax 0x0000005c push ecx 0x0000005d push eax 0x0000005e push edx 0x0000005f jnc 00007F9ACCBE48C6h 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F87EE6 second address: F87EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88ECA second address: F88F59 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9ACCBE48CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d and edi, dword ptr [ebp+122D3849h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F9ACCBE48C8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov ebx, dword ptr [ebp+122D36D8h] 0x00000035 mov dword ptr [ebp+122D2A0Ah], eax 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebp 0x00000040 call 00007F9ACCBE48C8h 0x00000045 pop ebp 0x00000046 mov dword ptr [esp+04h], ebp 0x0000004a add dword ptr [esp+04h], 0000001Ah 0x00000052 inc ebp 0x00000053 push ebp 0x00000054 ret 0x00000055 pop ebp 0x00000056 ret 0x00000057 mov edi, dword ptr [ebp+122D1F54h] 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jc 00007F9ACCBE48DDh 0x00000066 jmp 00007F9ACCBE48D7h 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88053 second address: F88059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8B7A2 second address: F8B7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8B7A6 second address: F8B81C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9ACD05C366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F9ACD05C36Bh 0x00000012 jmp 00007F9ACD05C376h 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F9ACD05C368h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov bx, 677Eh 0x00000037 add edi, 4437CE54h 0x0000003d push 00000000h 0x0000003f mov di, 9BC9h 0x00000043 push 00000000h 0x00000045 movzx ebx, dx 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jno 00007F9ACD05C36Ch 0x00000051 js 00007F9ACD05C366h 0x00000057 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C7C6 second address: F8C7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C7CA second address: F8C7D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8BA0C second address: F8BA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C7D0 second address: F8C7DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C7DE second address: F8C859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b nop 0x0000000c and ebx, 01523DA6h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F9ACCBE48C8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e or edi, dword ptr [ebp+122D3965h] 0x00000034 mov ebx, ecx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F9ACCBE48C8h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000016h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 jmp 00007F9ACCBE48D8h 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push edx 0x0000005c pop edx 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D879 second address: F8D8C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F9ACD05C368h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 sbb di, AFA0h 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c mov ebx, dword ptr [ebp+122D3945h] 0x00000032 pop edi 0x00000033 push 00000000h 0x00000035 sub dword ptr [ebp+122D2B0Eh], edx 0x0000003b xchg eax, esi 0x0000003c pushad 0x0000003d jp 00007F9ACD05C36Ch 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D8C9 second address: F8D8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D8D1 second address: F8D8E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F9ACD05C366h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D8E3 second address: F8D8ED instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9ACCBE48C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E88B second address: F8E8CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ebx, 40C6C983h 0x00000010 push 00000000h 0x00000012 mov edi, 2AB26CE6h 0x00000017 push 00000000h 0x00000019 jmp 00007F9ACD05C374h 0x0000001e xchg eax, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F9ACD05C373h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E8CE second address: F8E8D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D9F4 second address: F8DA02 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F9ACD05C366h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E8D4 second address: F8E8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DA02 second address: F8DAA2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9ACD05C366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push esi 0x0000000f jmp 00007F9ACD05C370h 0x00000014 pop edi 0x00000015 push dword ptr fs:[00000000h] 0x0000001c jg 00007F9ACD05C36Ch 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 mov bl, 92h 0x0000002b add di, 3EDEh 0x00000030 mov eax, dword ptr [ebp+122D0055h] 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007F9ACD05C368h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 mov di, si 0x00000053 movsx edi, si 0x00000056 or dword ptr [ebp+122D35C0h], ebx 0x0000005c push FFFFFFFFh 0x0000005e push 00000000h 0x00000060 push edx 0x00000061 call 00007F9ACD05C368h 0x00000066 pop edx 0x00000067 mov dword ptr [esp+04h], edx 0x0000006b add dword ptr [esp+04h], 00000014h 0x00000073 inc edx 0x00000074 push edx 0x00000075 ret 0x00000076 pop edx 0x00000077 ret 0x00000078 nop 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c jne 00007F9ACD05C366h 0x00000082 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E8D8 second address: F8E8DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E8DC second address: F8E8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E8EB second address: F8E8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E8EF second address: F8E90A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C377h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F995 second address: F8F9A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F9ACCBE48C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F9A0 second address: F8FA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F9ACD05C368h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jmp 00007F9ACD05C371h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007F9ACD05C368h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push ecx 0x0000004a call 00007F9ACD05C368h 0x0000004f pop ecx 0x00000050 mov dword ptr [esp+04h], ecx 0x00000054 add dword ptr [esp+04h], 00000017h 0x0000005c inc ecx 0x0000005d push ecx 0x0000005e ret 0x0000005f pop ecx 0x00000060 ret 0x00000061 or dword ptr [ebp+122D1B1Ah], ecx 0x00000067 push eax 0x00000068 push ebx 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F9ACD05C36Ch 0x00000070 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F90BCD second address: F90BE7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9ACCBE48C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9ACCBE48CEh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F90BE7 second address: F90C3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F9ACD05C36Dh 0x0000000d nop 0x0000000e or di, D100h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F9ACD05C368h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov bx, dx 0x00000032 sub dword ptr [ebp+1247EF3Ch], ebx 0x00000038 push 00000000h 0x0000003a mov edi, 5D36F301h 0x0000003f push eax 0x00000040 jns 00007F9ACD05C370h 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 pop eax 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F91BC1 second address: F91C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9ACCBE48D4h 0x0000000b jmp 00007F9ACCBE48CEh 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 jns 00007F9ACCBE48D0h 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F9ACCBE48C8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov ebx, edx 0x00000036 push 00000000h 0x00000038 adc bx, EE35h 0x0000003d jmp 00007F9ACCBE48D9h 0x00000042 push 00000000h 0x00000044 mov dword ptr [ebp+122D198Dh], esi 0x0000004a push eax 0x0000004b pushad 0x0000004c push eax 0x0000004d jp 00007F9ACCBE48C6h 0x00000053 pop eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jp 00007F9ACCBE48C6h 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93C3E second address: F93C93 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F9ACD05C370h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e add edi, dword ptr [ebp+122D3809h] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F9ACD05C368h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 movsx ebx, si 0x00000033 push 00000000h 0x00000035 movzx ebx, cx 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pop edx 0x0000003e pop eax 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F94C57 second address: F94CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F9ACCBE48C8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov ebx, 65D59DE9h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F9ACCBE48C8h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 pushad 0x00000049 sub dword ptr [ebp+122DB849h], edx 0x0000004f popad 0x00000050 push 00000000h 0x00000052 mov bx, ED63h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a push ebx 0x0000005b pop ebx 0x0000005c jno 00007F9ACCBE48C6h 0x00000062 popad 0x00000063 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93DF2 second address: F93E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F9ACD05C370h 0x0000000c popad 0x0000000d push eax 0x0000000e jo 00007F9ACD05C383h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F9ACD05C375h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F96CC4 second address: F96CE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9ACCBE48D1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jc 00007F9ACCBE48C6h 0x00000012 pop esi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F96CE3 second address: F96D02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C374h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F41926 second address: F4193A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9ACCBE48C6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4193A second address: F4193F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F52E second address: F9F532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F532 second address: F9F538 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F538 second address: F9F558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9ACCBE48D5h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F558 second address: F9F578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9ACD05C372h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F9ACD05C36Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F32806 second address: F3280D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3280D second address: F3283E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C377h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007F9ACD05C371h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3283E second address: F32843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9EC63 second address: F9EC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9EC69 second address: F9EC73 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9ACCBE48C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9EC73 second address: F9EC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F9ACD05C366h 0x0000000e jng 00007F9ACD05C366h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9EC87 second address: F9ECD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F9ACCBE48D8h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F9ACCBE48E3h 0x00000017 jmp 00007F9ACCBE48D7h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9ECD5 second address: F9ECE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007F9ACD05C36Dh 0x0000000a pop edi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9ECE8 second address: F9ECEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA604D second address: FA6051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA6051 second address: FA6087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jns 00007F9ACCBE48CAh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jno 00007F9ACCBE48D9h 0x00000018 mov eax, dword ptr [eax] 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop esi 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA6087 second address: FA608B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA608B second address: FA60A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jmp 00007F9ACCBE48CEh 0x00000013 pop ecx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAC1A1 second address: FAC1A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAB4C0 second address: FAB4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAB7DD second address: FAB7ED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F9ACD05C372h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAB7ED second address: FAB7F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAB934 second address: FAB94C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F9ACD05C376h 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 jnp 00007F9ACD05C36Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FABA7D second address: FABA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F9ACCBE48C6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FABA8C second address: FABA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FABE8A second address: FABEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACCBE48D6h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FABEA5 second address: FABEAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3372 second address: FB3376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3376 second address: FB337C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB337C second address: FB33B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9ACCBE48D8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F9ACCBE48D0h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3837 second address: FB383D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB383D second address: FB3841 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB39BD second address: FB39C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB39C3 second address: FB39C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3CD2 second address: FB3CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3E00 second address: FB3E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3E08 second address: FB3E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F9ACD05C372h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3E28 second address: FB3E44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F9ACCBE48D4h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3E44 second address: FB3E59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F9ACD05C36Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4255 second address: FB425F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9ACCBE48C6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB425F second address: FB4299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C374h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F9ACD05C379h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F600FA second address: F600FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F600FE second address: F60102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C9B3 second address: F3C9C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB483C second address: FB4842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB81F6 second address: FB81FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD5C5 second address: FBD5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F9ACD05C366h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F9ACD05C36Eh 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD5E2 second address: FBD611 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jbe 00007F9ACCBE48CAh 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F9ACCBE48D2h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD611 second address: FBD615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD615 second address: FBD61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35F39 second address: F35F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9ACD05C366h 0x0000000a popad 0x0000000b jmp 00007F9ACD05C375h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35F59 second address: F35F5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35F5F second address: F35F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC424 second address: FBC442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007F9ACCBE48D9h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC442 second address: FBC447 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC447 second address: FBC456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9ACCBE48C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC456 second address: FBC45A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC45A second address: FBC467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC467 second address: FBC471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9ACD05C366h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79125 second address: F7916D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007F9ACCBE48C8h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 00000014h 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 mov edi, eax 0x00000022 mov edx, dword ptr [ebp+122D3789h] 0x00000028 lea eax, dword ptr [ebp+12480E76h] 0x0000002e mov dword ptr [ebp+122D3731h], eax 0x00000034 nop 0x00000035 pushad 0x00000036 jnp 00007F9ACCBE48C8h 0x0000003c jo 00007F9ACCBE48CCh 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7916D second address: F5F600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jne 00007F9ACD05C36Eh 0x0000000c nop 0x0000000d mov cx, B183h 0x00000011 call dword ptr [ebp+122D1FA7h] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79746 second address: F7974A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7974A second address: F7974E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7974E second address: F7977B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 2DC1C1D1h 0x0000000d mov ecx, dword ptr [ebp+122D3A35h] 0x00000013 call 00007F9ACCBE48C9h 0x00000018 push ebx 0x00000019 jno 00007F9ACCBE48C8h 0x0000001f pop ebx 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7977B second address: F79798 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C379h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79798 second address: F797CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F9ACCBE48D4h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F797CB second address: F797D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F9ACD05C366h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F797D5 second address: F797F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jmp 00007F9ACCBE48CEh 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F797F1 second address: F79800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F798E5 second address: F798E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F799CF second address: F799D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79A8F second address: F79A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79B41 second address: F79B6B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9ACD05C375h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jbe 00007F9ACD05C368h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A087 second address: F7A0B2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9ACCBE48C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 0000001Eh 0x00000011 movsx edi, ax 0x00000014 nop 0x00000015 jnc 00007F9ACCBE48D0h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A0B2 second address: F7A0B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A37B second address: F7A385 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9ACCBE48C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A385 second address: F7A38B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A38B second address: F7A38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A38F second address: F7A41B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F9ACD05C372h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 jnp 00007F9ACD05C36Ch 0x0000001c pushad 0x0000001d jmp 00007F9ACD05C36Eh 0x00000022 jmp 00007F9ACD05C378h 0x00000027 popad 0x00000028 popad 0x00000029 mov eax, dword ptr [eax] 0x0000002b push edx 0x0000002c jno 00007F9ACD05C368h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F9ACD05C376h 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A4FA second address: F7A500 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A500 second address: F600FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9ACD05C368h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop eax 0x00000015 nop 0x00000016 sub edx, dword ptr [ebp+122D3AB1h] 0x0000001c lea eax, dword ptr [ebp+12480E76h] 0x00000022 sub dl, 00000041h 0x00000025 push eax 0x00000026 je 00007F9ACD05C374h 0x0000002c pushad 0x0000002d jmp 00007F9ACD05C36Ah 0x00000032 pushad 0x00000033 popad 0x00000034 popad 0x00000035 mov dword ptr [esp], eax 0x00000038 stc 0x00000039 jmp 00007F9ACD05C378h 0x0000003e call dword ptr [ebp+122D1E30h] 0x00000044 jmp 00007F9ACD05C376h 0x00000049 pushad 0x0000004a push edi 0x0000004b push ebx 0x0000004c pop ebx 0x0000004d pop edi 0x0000004e push eax 0x0000004f js 00007F9ACD05C366h 0x00000055 pop eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC907 second address: FBC90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBCBDB second address: FBCBDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBCBDF second address: FBCBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD18C second address: FBD190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1ED0 second address: FC1EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACCBE48D3h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1EE7 second address: FC1EEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1EEB second address: FC1EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC245F second address: FC2465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2465 second address: FC246F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC246F second address: FC2473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2473 second address: FC24AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jnc 00007F9ACCBE48EDh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC24AC second address: FC24B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC1A1D second address: FC1A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9ACCBE48C6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9ACCBE48D0h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC27DF second address: FC27E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC27E3 second address: FC27F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC27F4 second address: FC27FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC27FD second address: FC2803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2952 second address: FC295D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9ACD05C366h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC295D second address: FC2962 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2962 second address: FC297F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F9ACD05C373h 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2D8E second address: FC2DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007F9ACCBE48C6h 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9ACCBE48CCh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2DAC second address: FC2DC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C376h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC2DC6 second address: FC2DCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC62B9 second address: FC62DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9ACD05C379h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC62DC second address: FC62E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5E17 second address: FC5E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACD05C379h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5E34 second address: FC5E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5E3F second address: FC5E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jno 00007F9ACD05C36Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5FC8 second address: FC5FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5FCC second address: FC5FD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5FD0 second address: FC5FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5FD6 second address: FC5FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5FDC second address: FC5FF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9ACCBE48D0h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD0A9F second address: FD0AAB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD0AAB second address: FD0AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF493 second address: FCF4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F9ACD05C36Dh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF4A5 second address: FCF4C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F9ACCBE48D9h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF604 second address: FCF60C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF60C second address: FCF610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF8C8 second address: FCF8DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jno 00007F9ACD05C372h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF8DF second address: FCF91A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F9ACCBE48D6h 0x00000008 jnl 00007F9ACCBE48C6h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9ACCBE48D6h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFA47 second address: FCFA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFA4C second address: FCFA53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFA53 second address: FCFA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9ACD05C370h 0x0000000e pushad 0x0000000f jo 00007F9ACD05C366h 0x00000015 push edi 0x00000016 pop edi 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFA78 second address: FCFA7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFA7D second address: FCFA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79F2E second address: F79F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F9ACCBE48CCh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jp 00007F9ACCBE48C8h 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFD2F second address: FCFD35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFD35 second address: FCFD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFD3B second address: FCFD3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFE86 second address: FCFE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACCBE48D2h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3C84 second address: FD3C9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C373h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3C9C second address: FD3CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9ACCBE48C6h 0x0000000a jp 00007F9ACCBE48C6h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3CB5 second address: FD3CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F9ACD05C373h 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F9ACD05C36Bh 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jmp 00007F9ACD05C379h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3E2F second address: FD3E38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3E38 second address: FD3E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F9ACD05C379h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3E60 second address: FD3E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F9ACCBE48C8h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3FB3 second address: FD3FC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9ACD05C36Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3FC5 second address: FD3FF6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9ACCBE48C6h 0x00000008 jmp 00007F9ACCBE48D5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9ACCBE48CEh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3FF6 second address: FD3FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7083 second address: FD7088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD71E1 second address: FD71E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD71E7 second address: FD71EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD71EB second address: FD7249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9ACD05C370h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F9ACD05C36Ch 0x00000010 popad 0x00000011 pushad 0x00000012 push edx 0x00000013 jmp 00007F9ACD05C378h 0x00000018 pop edx 0x00000019 push ebx 0x0000001a ja 00007F9ACD05C366h 0x00000020 pop ebx 0x00000021 pushad 0x00000022 push edi 0x00000023 pop edi 0x00000024 jns 00007F9ACD05C366h 0x0000002a jg 00007F9ACD05C366h 0x00000030 popad 0x00000031 js 00007F9ACD05C36Ch 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD73A8 second address: FD73B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD90E5 second address: FD90EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE14FB second address: FE1501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF5B1 second address: FDF5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF9F3 second address: FDF9FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF9FF second address: FDFA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDFA03 second address: FDFA0D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9ACCBE48C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDFA0D second address: FDFA30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9ACD05C379h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDFA30 second address: FDFA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE02CD second address: FE02F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9ACD05C366h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d js 00007F9ACD05C37Dh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE05DB second address: FE05FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9ACCBE48D9h 0x00000009 jnc 00007F9ACCBE48C6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE05FE second address: FE0616 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F9ACD05C366h 0x0000000e jmp 00007F9ACD05C36Ah 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0616 second address: FE062C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0C03 second address: FE0C1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F9ACD05C36Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0C1C second address: FE0C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACCBE48D9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0F1F second address: FE0F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE45C1 second address: FE45DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9ACCBE48C6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F9ACCBE48CEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE4AC1 second address: FE4AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE4AC7 second address: FE4ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF189A second address: FF18AA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9ACD05C366h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEFAE0 second address: FEFB0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CFh 0x00000007 jg 00007F9ACCBE48C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F9ACCBE48D3h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF01CE second address: FF01D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF01D4 second address: FF01EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F9ACCBE48CEh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF01EB second address: FF01F5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9ACD05C376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0347 second address: FF0351 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9ACCBE48CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0495 second address: FF049F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9ACD05C36Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0901 second address: FF090D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6678 second address: FF667E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF667E second address: FF6685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6685 second address: FF668C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF668C second address: FF66B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F9ACCBE48C6h 0x0000000f jng 00007F9ACCBE48C6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA6D5 second address: FFA6FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F9ACD05C366h 0x0000000a jmp 00007F9ACD05C376h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA6FC second address: FFA719 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F9ACCBE48CDh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA719 second address: FFA74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACD05C370h 0x00000009 jmp 00007F9ACD05C371h 0x0000000e popad 0x0000000f jmp 00007F9ACD05C36Eh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA74D second address: FFA753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA753 second address: FFA757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA433 second address: FFA451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F9ACCBE48CEh 0x0000000a jc 00007F9ACCBE48C6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA451 second address: FFA45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9ACD05C366h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008E13 second address: 1008E37 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F9ACCBE48C8h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F9ACCBE48CDh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100AD4E second address: 100AD54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100AD54 second address: 100AD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9ACCBE48C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100AD65 second address: 100AD69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100AD69 second address: 100AD6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39537 second address: F3955A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F9ACD05C366h 0x00000009 jmp 00007F9ACD05C36Ch 0x0000000e jmp 00007F9ACD05C36Ah 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D4FB second address: 100D507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D507 second address: 100D50D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10160E6 second address: 10160EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10160EC second address: 10160F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9ACD05C366h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015F56 second address: 1015F5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015F5E second address: 1015F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015F62 second address: 1015F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019C68 second address: 1019C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019C6E second address: 1019C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019C72 second address: 1019C78 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019C78 second address: 1019C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F9ACCBE48CFh 0x0000000c pop ecx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019C8F second address: 1019C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D377 second address: 101D3A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jmp 00007F9ACCBE48D9h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D3A0 second address: 101D3A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D3A4 second address: 101D3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D3AA second address: 101D3B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F9ACD05C366h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D3B6 second address: 101D3BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026256 second address: 102625B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102625B second address: 1026261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026261 second address: 102627D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9ACD05C373h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029733 second address: 1029739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029739 second address: 102973D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102973D second address: 1029741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029741 second address: 1029749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10377F8 second address: 1037802 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9ACCBE48C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037802 second address: 103780C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F9ACD05C366h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103780C second address: 1037810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104507E second address: 1045082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1045082 second address: 10450AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACCBE48D0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F9ACCBE48CEh 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10450AB second address: 10450B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10450B1 second address: 10450BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10450BA second address: 10450BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047257 second address: 104725B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104725B second address: 104727E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C373h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d jl 00007F9ACD05C372h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104727E second address: 1047284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046DC1 second address: 1046DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046DCD second address: 1046DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046DD3 second address: 1046DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACD05C36Eh 0x00000009 popad 0x0000000a push eax 0x0000000b jg 00007F9ACD05C366h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046DEF second address: 1046DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046DF4 second address: 1046DFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F9ACD05C366h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046DFE second address: 1046E02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046F4E second address: 1046F6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C379h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046F6F second address: 1046F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046F75 second address: 1046F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D802 second address: 105D806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D806 second address: 105D814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D814 second address: 105D81A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CBB8 second address: 105CBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CE55 second address: 105CE63 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9ACCBE48C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CE63 second address: 105CE67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CE67 second address: 105CE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CE6D second address: 105CE8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F9ACD05C377h 0x0000000f jmp 00007F9ACD05C371h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D192 second address: 105D1E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007F9ACCBE48C6h 0x00000010 jmp 00007F9ACCBE48CDh 0x00000015 jmp 00007F9ACCBE48D3h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F9ACCBE48D4h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D1E1 second address: 105D1E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D1E5 second address: 105D1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D4E7 second address: 105D4ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D4ED second address: 105D509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9ACCBE48D4h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10617EE second address: 10617F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061D27 second address: 1061D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9ACCBE48CBh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10636B3 second address: 10636B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10636B7 second address: 10636BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10636BD second address: 10636C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10636C3 second address: 10636D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10636D8 second address: 10636DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40370 second address: 4D40376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40376 second address: 4D403CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C36Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F9ACD05C372h 0x00000015 mov bx, ax 0x00000018 popad 0x00000019 pushfd 0x0000001a jmp 00007F9ACD05C36Eh 0x0000001f and ax, C7D8h 0x00000024 jmp 00007F9ACD05C36Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov ecx, dword ptr [ebp+08h] 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D403CB second address: 4D403E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9ACCBE48D1h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60657 second address: 4D6067D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 mov ecx, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F9ACD05C373h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6067D second address: 4D60681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60681 second address: 4D60685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60685 second address: 4D6068B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6068B second address: 4D606CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 09B0F17Fh 0x00000008 push ecx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ecx 0x0000000e jmp 00007F9ACD05C36Eh 0x00000013 push eax 0x00000014 jmp 00007F9ACD05C36Bh 0x00000019 xchg eax, ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F9ACD05C375h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D606CB second address: 4D606D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D606D1 second address: 4D606D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D606D5 second address: 4D6071B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9ACCBE48D4h 0x00000013 add ecx, 5CBBD958h 0x00000019 jmp 00007F9ACCBE48CBh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6071B second address: 4D6071F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6071F second address: 4D60738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F9ACCBE48CBh 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60738 second address: 4D6073E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6073E second address: 4D60743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60743 second address: 4D60749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60749 second address: 4D6074D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6074D second address: 4D6078E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b jmp 00007F9ACD05C372h 0x00000010 nop 0x00000011 jmp 00007F9ACD05C370h 0x00000016 push eax 0x00000017 jmp 00007F9ACD05C36Bh 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6078E second address: 4D60792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60792 second address: 4D60798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60798 second address: 4D607A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D607A0 second address: 4D607B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push dword ptr [ebp+08h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movzx ecx, bx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D607B0 second address: 4D607BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6002C second address: 4D60032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60032 second address: 4D60036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60036 second address: 4D60045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60045 second address: 4D6004A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6004A second address: 4D60084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, F6h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov al, dh 0x0000000f pushfd 0x00000010 jmp 00007F9ACD05C378h 0x00000015 adc cx, 7B38h 0x0000001a jmp 00007F9ACD05C36Bh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60084 second address: 4D6008A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6008A second address: 4D6008E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6008E second address: 4D600C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F9ACCBE48D6h 0x00000012 push FFFFFFFEh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov al, dl 0x00000019 mov edx, esi 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D600C1 second address: 4D60114 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9ACD05C36Ch 0x00000009 add ax, 7728h 0x0000000e jmp 00007F9ACD05C36Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push 45118BCFh 0x0000001c pushad 0x0000001d movsx edx, ax 0x00000020 mov cx, FDEDh 0x00000024 popad 0x00000025 add dword ptr [esp], 31B61279h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov edi, 2CD8A988h 0x00000034 jmp 00007F9ACD05C371h 0x00000039 popad 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60114 second address: 4D6011A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6011A second address: 4D6011E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6011E second address: 4D60166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F9ACCBE48C9h 0x0000000d pushad 0x0000000e movzx ecx, dx 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F9ACCBE48CAh 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007F9ACCBE48CBh 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F9ACCBE48D4h 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60166 second address: 4D60178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9ACD05C36Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60178 second address: 4D6019C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9ACCBE48CBh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6019C second address: 4D601A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D601A2 second address: 4D601A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D601A9 second address: 4D601FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 jmp 00007F9ACD05C36Ch 0x0000000d mov eax, dword ptr fs:[00000000h] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F9ACD05C36Eh 0x0000001a add eax, 4279F568h 0x00000020 jmp 00007F9ACD05C36Bh 0x00000025 popfd 0x00000026 popad 0x00000027 push ebx 0x00000028 pushad 0x00000029 jmp 00007F9ACD05C370h 0x0000002e push eax 0x0000002f push edx 0x00000030 mov edi, esi 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D601FC second address: 4D6023B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F9ACCBE48D6h 0x0000000f sub esp, 18h 0x00000012 pushad 0x00000013 mov al, 82h 0x00000015 mov ax, dx 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b jmp 00007F9ACCBE48D0h 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6023B second address: 4D60241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6034C second address: 4D60376 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9ACCBE48CCh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60376 second address: 4D603B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 mov si, 20C9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e jmp 00007F9ACD05C374h 0x00000013 push eax 0x00000014 jmp 00007F9ACD05C36Bh 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F9ACD05C370h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D603B9 second address: 4D603BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D603BD second address: 4D603C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D603C3 second address: 4D603D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9ACCBE48CDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D603D4 second address: 4D6047B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e pushad 0x0000000f call 00007F9ACD05C36Ch 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 pushfd 0x00000018 jmp 00007F9ACD05C371h 0x0000001d or esi, 546BB176h 0x00000023 jmp 00007F9ACD05C371h 0x00000028 popfd 0x00000029 popad 0x0000002a mov dword ptr fs:[00000000h], eax 0x00000030 pushad 0x00000031 jmp 00007F9ACD05C36Ch 0x00000036 push esi 0x00000037 mov bx, 1C44h 0x0000003b pop edi 0x0000003c popad 0x0000003d mov dword ptr [ebp-18h], esp 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007F9ACD05C375h 0x00000049 add ax, C436h 0x0000004e jmp 00007F9ACD05C371h 0x00000053 popfd 0x00000054 mov ax, 5427h 0x00000058 popad 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6047B second address: 4D604A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000018h] 0x0000000f pushad 0x00000010 mov ebx, 7DFCC16Eh 0x00000015 popad 0x00000016 mov ecx, dword ptr [eax+00000FDCh] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D604A5 second address: 4D604A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D604A9 second address: 4D604B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D604B7 second address: 4D604C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9ACD05C36Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D604C9 second address: 4D604F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ecx, ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9ACCBE48D5h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D604F3 second address: 4D604F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D604F9 second address: 4D604FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D604FD second address: 4D60501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D500C0 second address: 4D500C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D500C4 second address: 4D500C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D500C8 second address: 4D500CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D500CE second address: 4D500D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D500D4 second address: 4D50143 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F9ACCBE48CBh 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F9ACCBE48D6h 0x00000017 xchg eax, edi 0x00000018 jmp 00007F9ACCBE48D0h 0x0000001d push eax 0x0000001e jmp 00007F9ACCBE48CBh 0x00000023 xchg eax, edi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F9ACCBE48D0h 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50143 second address: 4D50147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50147 second address: 4D5014D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5014D second address: 4D50153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5018F second address: 4D50206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9ACCBE48D3h 0x00000013 sbb si, 437Eh 0x00000018 jmp 00007F9ACCBE48D9h 0x0000001d popfd 0x0000001e mov esi, 42A849C7h 0x00000023 popad 0x00000024 jmp 00007F9ACCBE48CCh 0x00000029 popad 0x0000002a sub edi, edi 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F9ACCBE48CCh 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50206 second address: 4D50277 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C36Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ebx 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F9ACD05C36Ch 0x00000015 and ecx, 52916808h 0x0000001b jmp 00007F9ACD05C36Bh 0x00000020 popfd 0x00000021 pop esi 0x00000022 popad 0x00000023 test al, al 0x00000025 jmp 00007F9ACD05C36Fh 0x0000002a je 00007F9ACD05C57Ah 0x00000030 jmp 00007F9ACD05C376h 0x00000035 lea ecx, dword ptr [ebp-14h] 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov eax, edx 0x0000003d mov edx, 5C732EDCh 0x00000042 popad 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50277 second address: 4D5027D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5027D second address: 4D502A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C36Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-14h], edi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9ACD05C36Ch 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D502FE second address: 4D50316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9ACCBE48D4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50316 second address: 4D5032E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9ACD05C36Dh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5032E second address: 4D50334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50334 second address: 4D50338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50338 second address: 4D50378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F9ACCBE48CBh 0x00000015 jmp 00007F9ACCBE48D3h 0x0000001a popfd 0x0000001b push eax 0x0000001c pop edi 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D503B8 second address: 4D503FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9ACD05C36Dh 0x00000009 sbb ah, 00000036h 0x0000000c jmp 00007F9ACD05C371h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 test eax, eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F9ACD05C378h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D503FD second address: 4D50483 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F9B3EAC2946h 0x0000000f jmp 00007F9ACCBE48D6h 0x00000014 js 00007F9ACCBE48FFh 0x0000001a jmp 00007F9ACCBE48D0h 0x0000001f cmp dword ptr [ebp-14h], edi 0x00000022 jmp 00007F9ACCBE48D0h 0x00000027 jne 00007F9B3EAC2910h 0x0000002d jmp 00007F9ACCBE48D0h 0x00000032 mov ebx, dword ptr [ebp+08h] 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F9ACCBE48D7h 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50483 second address: 4D504AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bl 0x00000005 movzx ecx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-2Ch] 0x0000000e pushad 0x0000000f mov edi, 3C724C1Ch 0x00000014 call 00007F9ACD05C375h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D504AE second address: 4D504BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D504BB second address: 4D504BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D504BF second address: 4D504CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D504CE second address: 4D504D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D504D4 second address: 4D50509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e jmp 00007F9ACCBE48D6h 0x00000013 nop 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov dx, 4410h 0x0000001b push ebx 0x0000001c pop esi 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50509 second address: 4D50524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C372h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D505A7 second address: 4D505D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov esi, eax 0x00000008 jmp 00007F9ACCBE48CBh 0x0000000d test esi, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9ACCBE48D5h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D505D3 second address: 4D40E34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F9B3EF3A3D3h 0x0000000f xor eax, eax 0x00000011 jmp 00007F9ACD035A9Ah 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e cmp eax, 00000000h 0x00000021 setne cl 0x00000024 xor ebx, ebx 0x00000026 test cl, 00000001h 0x00000029 jne 00007F9ACD05C367h 0x0000002b jmp 00007F9ACD05C48Ah 0x00000030 call 00007F9AD0FF92D6h 0x00000035 mov edi, edi 0x00000037 pushad 0x00000038 mov cx, C53Fh 0x0000003c mov ebx, esi 0x0000003e popad 0x0000003f xchg eax, ebp 0x00000040 pushad 0x00000041 mov di, CA0Eh 0x00000045 popad 0x00000046 push eax 0x00000047 jmp 00007F9ACD05C374h 0x0000004c xchg eax, ebp 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushfd 0x00000051 jmp 00007F9ACD05C36Dh 0x00000056 or si, F646h 0x0000005b jmp 00007F9ACD05C371h 0x00000060 popfd 0x00000061 pushad 0x00000062 popad 0x00000063 popad 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40E34 second address: 4D40E57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40E57 second address: 4D40E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40E5B second address: 4D40E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40E61 second address: 4D40E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40E67 second address: 4D40E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40ED5 second address: 4D508FB instructions: 0x00000000 rdtsc 0x00000002 mov bx, E468h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 ret 0x0000000a nop 0x0000000b jmp 00007F9ACD05C362h 0x0000000d and bl, 00000001h 0x00000010 movzx eax, bl 0x00000013 lea esp, dword ptr [ebp-0Ch] 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 pop ebp 0x0000001a ret 0x0000001b add esp, 04h 0x0000001e mov eax, dword ptr [00DB60A4h+ebx*4] 0x00000025 mov ecx, 04B3412Ah 0x0000002a xor ecx, dword ptr [00DB60ACh] 0x00000030 add eax, ecx 0x00000032 inc eax 0x00000033 jmp eax 0x00000035 push esi 0x00000036 call 00007F9ACD082538h 0x0000003b push ebp 0x0000003c push ebx 0x0000003d push edi 0x0000003e push esi 0x0000003f sub esp, 00000284h 0x00000045 mov esi, dword ptr [esp+00000298h] 0x0000004c mov dword ptr [esp+00000268h], 00DB8100h 0x00000057 mov dword ptr [esp+00000264h], 0000009Dh 0x00000062 mov dword ptr [esp], 00000000h 0x00000069 mov eax, dword ptr [00DB3D58h] 0x0000006e call eax 0x00000070 mov edi, edi 0x00000072 jmp 00007F9ACD05C376h 0x00000077 xchg eax, ebp 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b jmp 00007F9ACD05C36Dh 0x00000080 mov si, D0F7h 0x00000084 popad 0x00000085 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D508FB second address: 4D50964 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop eax 0x0000000e pushfd 0x0000000f jmp 00007F9ACCBE48D9h 0x00000014 adc al, 00000006h 0x00000017 jmp 00007F9ACCBE48D1h 0x0000001c popfd 0x0000001d popad 0x0000001e movzx esi, di 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 call 00007F9ACCBE48D4h 0x0000002b pop esi 0x0000002c mov edx, 3DE9F916h 0x00000031 popad 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50964 second address: 4D509D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F9ACD05C36Ah 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F9ACD05C36Bh 0x0000000f sbb esi, 3590959Eh 0x00000015 jmp 00007F9ACD05C379h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov ebp, esp 0x00000020 jmp 00007F9ACD05C36Eh 0x00000025 cmp dword ptr [76C8459Ch], 05h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F9ACD05C377h 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D509D1 second address: 4D50A03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F9B3EAB28D7h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9ACCBE48CDh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50A4F second address: 4D50A69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C36Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 6E44C07Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ebx, ecx 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50A69 second address: 4D50A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50A6F second address: 4D50A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50A73 second address: 4D50A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50A77 second address: 4D50A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 0882DBA9h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9ACD05C36Ah 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50A92 second address: 4D50A98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50A98 second address: 4D50A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50A9C second address: 4D50AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50AEF second address: 4D50AF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50AF5 second address: 4D50B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b pushad 0x0000000c mov ebx, esi 0x0000000e mov bx, cx 0x00000011 popad 0x00000012 je 00007F9B3EAA8735h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F9ACCBE48CEh 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50B2E second address: 4D50B34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50B34 second address: 4D50B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50B3A second address: 4D50B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6092A second address: 4D60958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 xchg eax, esi 0x0000000a jmp 00007F9ACCBE48CEh 0x0000000f push eax 0x00000010 jmp 00007F9ACCBE48CBh 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov dx, F036h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60958 second address: 4D6095D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6095D second address: 4D60963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60963 second address: 4D60981 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c jmp 00007F9ACD05C36Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60981 second address: 4D60985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60985 second address: 4D609E0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 14362EEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test esi, esi 0x0000000c jmp 00007F9ACD05C378h 0x00000011 je 00007F9B3EF19D74h 0x00000017 pushad 0x00000018 pushad 0x00000019 mov al, 3Bh 0x0000001b call 00007F9ACD05C379h 0x00000020 pop eax 0x00000021 popad 0x00000022 push ebx 0x00000023 mov edi, esi 0x00000025 pop eax 0x00000026 popad 0x00000027 cmp dword ptr [76C8459Ch], 05h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D609E0 second address: 4D609E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D609E4 second address: 4D609EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D609EA second address: 4D60A0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACCBE48D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F9B3EABA35Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60A0D second address: 4D60A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60A11 second address: 4D60A17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60A17 second address: 4D60A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60A1D second address: 4D60A21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60A21 second address: 4D60A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007F9ACD05C370h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9ACD05C36Eh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60A4B second address: 4D60A64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov ebx, 75BA1150h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dx, ax 0x00000015 movzx eax, bx 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60AF6 second address: 4D60B12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9ACD05C378h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60B12 second address: 4D60B17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60B17 second address: 4D60B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 492BE092h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F9ACD05C36Fh 0x00000014 adc eax, 4782908Eh 0x0000001a jmp 00007F9ACD05C379h 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 movzx esi, dx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60B5A second address: 4D60B7F instructions: 0x00000000 rdtsc 0x00000002 mov di, 6DEEh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9ACCBE48D7h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60B7F second address: 4D60B85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60B85 second address: 4D60B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6267A34 second address: 6267A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9ACD05C366h 0x0000000a jmp 00007F9ACD05C36Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626DF6D second address: 626DF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626E0FA second address: 626E130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F9ACD05C371h 0x0000000b popad 0x0000000c jmp 00007F9ACD05C378h 0x00000011 pop esi 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626E130 second address: 626E134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626E2C4 second address: 626E2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9ACD05C370h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62715DB second address: 6271626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F9ACCBE48C6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 sub dword ptr [ebp+122D1DD5h], edx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F9ACCBE48C8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 push E2675093h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F9ACCBE48CFh 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6271723 second address: 62717C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 nop 0x00000007 jmp 00007F9ACD05C379h 0x0000000c push 00000000h 0x0000000e xor dword ptr [ebp+122D1DEFh], edx 0x00000014 push B1CB04B6h 0x00000019 jo 00007F9ACD05C377h 0x0000001f jmp 00007F9ACD05C371h 0x00000024 add dword ptr [esp], 4E34FBCAh 0x0000002b mov edi, dword ptr [ebp+122D2FBCh] 0x00000031 push 00000003h 0x00000033 pushad 0x00000034 add dh, 00000060h 0x00000037 push eax 0x00000038 mov dword ptr [ebp+122D328Dh], eax 0x0000003e pop ebx 0x0000003f popad 0x00000040 push 00000000h 0x00000042 jnp 00007F9ACD05C36Ch 0x00000048 sub dword ptr [ebp+122D38D3h], ebx 0x0000004e push 00000003h 0x00000050 movsx edx, dx 0x00000053 call 00007F9ACD05C369h 0x00000058 pushad 0x00000059 push edi 0x0000005a push ebx 0x0000005b pop ebx 0x0000005c pop edi 0x0000005d jnc 00007F9ACD05C377h 0x00000063 jmp 00007F9ACD05C371h 0x00000068 popad 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62717C2 second address: 62717C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DCBB75 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F989F8 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 60EDF56 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 62C25D6 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6330462 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 60F1744 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 6396Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: file.exe, 00000000.00000002.1895386392.0000000000F53000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1912932458.0000000006277000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000003.1650017919.00000000057C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
              Source: file.exe, 00000000.00000002.1894285939.00000000009D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1894285939.0000000000A1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
              Source: file.exe, 00000000.00000002.1910032998.0000000005756000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
              Source: file.exe, 00000000.00000002.1910032998.0000000005756000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
              Source: file.exe, 00000000.00000002.1895386392.0000000000F53000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1912932458.0000000006277000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
              Source: file.exe, 00000000.00000003.1650017919.00000000057C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: file.exe, 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: p3ar11fter.sbs
              Source: file.exe, 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 3xp3cts1aim.sbs
              Source: file.exe, 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: peepburry828.sbs
              Source: file.exe, 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: p10tgrace.sbs
              Source: file.exe, 00000000.00000002.1895279207.0000000000D71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: processhol.sbs
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0Jump to behavior
              Source: file.exe, 00000000.00000002.1912932458.0000000006277000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: nProgram Manager
              Source: file.exe, 00000000.00000002.1895386392.0000000000F53000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: (Program Manager
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: file.exe, 00000000.00000003.1698252483.000000000575F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1698575001.000000000575F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6148, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: file.exe, 00000000.00000003.1683461352.0000000000A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
              Source: file.exe, 00000000.00000003.1683461352.0000000000A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: file.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
              Source: file.exe, 00000000.00000003.1683461352.0000000000A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: file.exe, 00000000.00000003.1694083350.0000000000A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
              Source: file.exe, 00000000.00000003.1683461352.0000000000A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: file.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: file.exe, 00000000.00000003.1683461352.0000000000A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: Yara matchFile source: 00000000.00000003.1683420078.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1683039757.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6148, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6148, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation
              1
              Registry Run Keys / Startup Folder
              12
              Process Injection
              1
              Masquerading
              2
              OS Credential Dumping
              1
              Query Registry
              Remote Services41
              Data from Local System
              1
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell
              1
              DLL Side-Loading
              1
              Registry Run Keys / Startup Folder
              34
              Virtualization/Sandbox Evasion
              LSASS Memory751
              Security Software Discovery
              Remote Desktop ProtocolData from Removable Media11
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading
              12
              Process Injection
              Security Account Manager34
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information
              NTDS2
              Process Discovery
              Distributed Component Object ModelInput Capture114
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information
              LSA Secrets1
              File and Directory Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
              Software Packing
              Cached Domain Credentials223
              System Information Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading
              DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              file.exe41%VirustotalBrowse
              file.exe100%AviraTR/Crypt.ZPACK.Gen
              file.exe100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              https://cook-rain.sbs/L100%Avira URL Cloudmalware
              https://cook-rain.sbs/z100%Avira URL Cloudmalware
              http://185.215.113.16/off/def.exe94100%Avira URL Cloudphishing
              https://cook-rain.sbs/_100%Avira URL Cloudmalware
              https://cook-rain.sbs/apiUni100%Avira URL Cloudmalware
              https://cook-rain.sbs/)100%Avira URL Cloudmalware
              http://185.215.113.16/;100%Avira URL Cloudphishing
              NameIPActiveMaliciousAntivirus DetectionReputation
              cook-rain.sbs
              188.114.96.3
              truefalse
                high
                s-part-0017.t-0009.t-msedge.net
                13.107.246.45
                truefalse
                  high
                  www.google.com
                  142.250.186.68
                  truefalse
                    high
                    js.monitor.azure.com
                    unknown
                    unknownfalse
                      high
                      mdec.nelreports.net
                      unknown
                      unknownfalse
                        high
                        NameMaliciousAntivirus DetectionReputation
                        peepburry828.sbsfalse
                          high
                          p10tgrace.sbsfalse
                            high
                            processhol.sbsfalse
                              high
                              https://cook-rain.sbs/apifalse
                                high
                                https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.jsfalse
                                  high
                                  p3ar11fter.sbsfalse
                                    high
                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cfchromecache_129.7.drfalse
                                      high
                                      https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://cook-rain.sbs/Lfile.exe, 00000000.00000003.1694042936.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1694894290.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/chromecache_129.7.drfalse
                                            high
                                            https://www.linkedin.com/cws/share?url=$chromecache_120.7.dr, chromecache_109.7.drfalse
                                              high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://github.com/Youssef1313chromecache_129.7.drfalse
                                                    high
                                                    https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0chromecache_120.7.dr, chromecache_109.7.drfalse
                                                      high
                                                      https://aka.ms/msignite_docs_bannerchromecache_120.7.dr, chromecache_109.7.drfalse
                                                        high
                                                        https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9chromecache_109.7.drfalse
                                                          high
                                                          http://polymer.github.io/AUTHORS.txtchromecache_120.7.dr, chromecache_109.7.drfalse
                                                            high
                                                            https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.ymlchromecache_129.7.drfalse
                                                              high
                                                              https://management.azure.com/subscriptions?api-version=2016-06-01chromecache_120.7.dr, chromecache_109.7.drfalse
                                                                high
                                                                https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.mdchromecache_129.7.drfalse
                                                                  high
                                                                  http://x1.c.lencr.org/0file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://x1.i.lencr.org/0file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://aka.ms/pshelpmechoosechromecache_120.7.dr, chromecache_109.7.drfalse
                                                                        high
                                                                        https://aka.ms/feedback/report?space=61chromecache_129.7.drfalse
                                                                          high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://cook-rain.sbs/_file.exe, 00000000.00000003.1694042936.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1683440777.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1694894290.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1683420078.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1703932459.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742170202.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792049833.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1683039757.0000000000A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            unknown
                                                                            http://185.215.113.16/off/def.exe94file.exe, 00000000.00000003.1742240312.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792049833.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1894285939.0000000000A6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: phishing
                                                                            unknown
                                                                            https://learn-video.azurefd.net/vod/playerchromecache_120.7.dr, chromecache_109.7.drfalse
                                                                              high
                                                                              https://twitter.com/intent/tweet?original_referer=$chromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                high
                                                                                https://github.com/gewarrenchromecache_129.7.drfalse
                                                                                  high
                                                                                  http://185.215.113.16/off/def.exepleWebKit/537.36file.exe, 00000000.00000002.1892094686.000000000076B000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.1663630758.00000000059E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://polymer.github.io/CONTRIBUTORS.txtchromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                        high
                                                                                        https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.mdchromecache_129.7.drfalse
                                                                                          high
                                                                                          https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725chromecache_129.7.drfalse
                                                                                            high
                                                                                            https://client-api.arkoselabs.com/v2/api.jschromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                              high
                                                                                              https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnlchromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                high
                                                                                                https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prevchromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                  high
                                                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://github.com/Thrakachromecache_129.7.drfalse
                                                                                                      high
                                                                                                      http://polymer.github.io/PATENTS.txtchromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                        high
                                                                                                        https://aka.ms/certhelpchromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                          high
                                                                                                          http://185.215.113.16/steam/random.exefile.exe, 00000000.00000002.1894285939.0000000000A6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://cook-rain.sbs/file.exe, 00000000.00000003.1792049833.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1683039757.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1632169295.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1741948721.0000000005755000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  https://cook-rain.sbs/apiUnifile.exe, 00000000.00000003.1741948721.0000000005755000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: malware
                                                                                                                  unknown
                                                                                                                  https://github.com/mairawchromecache_129.7.drfalse
                                                                                                                    high
                                                                                                                    https://cook-rain.sbs/zfile.exe, 00000000.00000003.1742170202.0000000000A92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: malware
                                                                                                                    unknown
                                                                                                                    http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      https://schema.orgchromecache_109.7.drfalse
                                                                                                                        high
                                                                                                                        http://polymer.github.io/LICENSE.txtchromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                                          high
                                                                                                                          https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.file.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.1663630758.00000000059E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44file.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://aka.ms/yourcaliforniaprivacychoiceschromecache_129.7.drfalse
                                                                                                                                    high
                                                                                                                                    https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      high
                                                                                                                                      https://github.com/nschonnichromecache_129.7.drfalse
                                                                                                                                        high
                                                                                                                                        http://185.215.113.16/file.exe, 00000000.00000003.1792049833.0000000000A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          high
                                                                                                                                          https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05chromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                                                            high
                                                                                                                                            https://cook-rain.sbs/)file.exe, 00000000.00000003.1703932459.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742170202.0000000000A92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792049833.0000000000A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                            unknown
                                                                                                                                            https://github.com/adegeochromecache_129.7.drfalse
                                                                                                                                              high
                                                                                                                                              http://crl.microfile.exe, 00000000.00000003.1742059301.0000000000A65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                high
                                                                                                                                                https://cook-rain.sbs:443/apifile.exe, 00000000.00000002.1894285939.00000000009F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    https://github.com/jonschlinkert/is-plain-objectchromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                                                                      high
                                                                                                                                                      http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.1662317052.00000000056CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        https://octokit.github.io/rest.js/#throttlingchromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                                                                          high
                                                                                                                                                          https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&ufile.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            http://185.215.113.16/;file.exe, 00000000.00000003.1792049833.0000000000A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: phishing
                                                                                                                                                            unknown
                                                                                                                                                            https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&ctafile.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgfile.exe, 00000000.00000003.1664007070.0000000005758000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                https://github.com/js-cookie/js-cookiechromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                                                                                  high
                                                                                                                                                                  http://185.215.113.16/off/def.exefile.exe, 00000000.00000003.1742240312.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792049833.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1894285939.0000000000A6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    high
                                                                                                                                                                    http://schema.org/Organizationchromecache_129.7.drfalse
                                                                                                                                                                      high
                                                                                                                                                                      https://channel9.msdn.com/chromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                                                                                        high
                                                                                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1634129952.00000000056F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          high
                                                                                                                                                                          https://github.com/dotnet/trychromecache_120.7.dr, chromecache_109.7.drfalse
                                                                                                                                                                            high
                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                            • 75% < No. of IPs
                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                            142.250.186.68
                                                                                                                                                                            www.google.comUnited States
                                                                                                                                                                            15169GOOGLEUSfalse
                                                                                                                                                                            13.107.246.45
                                                                                                                                                                            s-part-0017.t-0009.t-msedge.netUnited States
                                                                                                                                                                            8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                            185.215.113.16
                                                                                                                                                                            unknownPortugal
                                                                                                                                                                            206894WHOLESALECONNECTIONSNLfalse
                                                                                                                                                                            239.255.255.250
                                                                                                                                                                            unknownReserved
                                                                                                                                                                            unknownunknownfalse
                                                                                                                                                                            188.114.96.3
                                                                                                                                                                            cook-rain.sbsEuropean Union
                                                                                                                                                                            13335CLOUDFLARENETUSfalse
                                                                                                                                                                            IP
                                                                                                                                                                            192.168.2.8
                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                            Analysis ID:1559011
                                                                                                                                                                            Start date and time:2024-11-20 03:19:14 +01:00
                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                            Overall analysis duration:0h 7m 14s
                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                            Report type:full
                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                            Number of analysed new started processes analysed:14
                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                            Technologies:
                                                                                                                                                                            • HCA enabled
                                                                                                                                                                            • EGA enabled
                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                            Sample name:file.exe
                                                                                                                                                                            Detection:MAL
                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@24/71@11/6
                                                                                                                                                                            EGA Information:Failed
                                                                                                                                                                            HCA Information:
                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 199.232.210.172, 192.229.221.95, 184.28.89.167, 216.58.212.174, 64.233.166.84, 142.250.186.99, 34.104.35.123, 95.101.150.2, 2.20.245.137, 2.20.245.135, 13.69.116.107, 142.250.186.42, 142.250.185.234, 142.250.181.234, 142.250.186.74, 142.250.185.106, 142.250.185.74, 142.250.186.138, 172.217.18.106, 216.58.206.42, 142.250.185.170, 216.58.212.170, 142.250.185.138, 142.250.185.202, 216.58.206.74, 216.58.212.138, 172.217.16.138, 13.89.178.26, 13.74.129.1, 204.79.197.237, 13.107.21.237, 199.232.214.172, 142.250.186.67, 172.217.18.14
                                                                                                                                                                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, c-msn-com-nsatc.trafficmanager.net, clientservices.googleapis.com, browser.events.data.trafficmanager.net, learn.microsoft.com, onedscolprdcus00.centralus.cloudapp.azure.com, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, go.microsoft.com, clients2.google.com, ocsp.digicert.com, star-azurefd-prod.trafficmanager.net, a1883.dscd.akamai.net, learn.microsoft.com.edgekey.net, onedscolprdweu09.westeurope.cloudapp.azure.com, update.googleapis.com, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, c-bing-com.dual-a-0034.a-msedge.net, ctldl.windowsupdate.com, learn.microsoft.com.edgekey.net.globalredir.akadns.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, browser.events.data.microsoft.com, edgedl.me.gvt1.com, e13636.dscb.akamaiedge.net, c.bing.com, learn-public.trafficmanager.net, go.microsoft.com.edgekey.net, dual-a-0034.a-msed
                                                                                                                                                                            • Execution Graph export aborted for target file.exe, PID 6148 because there are no executed function
                                                                                                                                                                            • HTTPS sessions have been limited to 150. Please view the PCAPs for the complete data.
                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                            21:20:35API Interceptor8x Sleep call for process: file.exe modified